git.stella-ops.org/docs/airgap/runbooks/import-verify.md

# Offline Kit Import Verification Runbook

This runbook supports AIRGAP-MANIFEST-510-010/014. It validates bundle integrity before import, fully offline.

## Inputs
- Manifest: `offline-kit/manifest.json`
- Bundle archive: e.g., `offline-kit/bundle.tar.gz`
- Optional DSSE/JWS signature + public key for the manifest.

## Quick steps (offline)

```bash
src/AirGap/scripts/verify-manifest.sh offline-kit/manifest.json offline-kit/bundle.tar.gz \
  offline-kit/manifest.sig offline-kit/manifest.pub.pem
```

What it does:
1. Computes SHA-256 of manifest and bundle, compares with `hashes.manifestSha256` and `hashes.bundleSha256`.
2. If signature + pubkey are provided, verifies the manifest signature with OpenSSL.

## Expected manifest fields
- `tools[]`, `feeds[]`, `policies[]` with SHA-256.
- `chunks[]` entries for every payload file (path, sha256, size, kind).
- `stalenessWindowHours` and `avScan` status.
- `hashes.manifestSha256` and `hashes.bundleSha256` must match the files on disk.
- Optional `signatures[]` (dsse/jws-detached) with `envelopeDigest`.

## Failure handling
- Hash mismatch → stop; regenerate bundle.
- Signature failure → stop; re-validate trust roots.
- Missing AV scan → treat as policy violation; rerun scans and update manifest.

## Outputs
- Exit 0 when all checks pass.
- Exit 2–5 for missing tools/hash/signature verification issues (see script).

## References
- Schema: `docs/airgap/manifest.schema.json`
- Sample: `docs/airgap/samples/offline-kit-manifest.sample.json`
- Script: `src/AirGap/scripts/verify-manifest.sh`