37cba83708
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
3.2 KiB
3.2 KiB
Zastava Evidence Locker (schemas/kit)
Signed 2025-12-02 with Ed25519 key (pub base64url: mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc). Private key stored offline; all signatures use DSSEv1 pre-auth encoding.
Public key copy: docs/modules/zastava/kit/ed25519.pub.
Artefacts
schemas/observer_event.schema.json.dsse(payloadTypeapplication/vnd.stellaops.zastava.schema+json;name=observer_event;version=1)schemas/webhook_admission.schema.json.dsse(payloadTypeapplication/vnd.stellaops.zastava.schema+json;name=webhook_admission;version=1)thresholds.yaml.dsse(payloadTypeapplication/vnd.stellaops.zastava.thresholds+yaml;version=1)exports/observer_events.ndjson.dsse(payloadTypeapplication/vnd.stellaops.zastava.observer-events+ndjson;version=1)exports/webhook_admissions.ndjson.dsse(payloadTypeapplication/vnd.stellaops.zastava.webhook-admissions+ndjson;version=1)kit/zastava-kit.tzst.dsse(payloadTypeapplication/vnd.stellaops.zastava.kit+tzst;version=1)
Evidence Locker targets
evidence-locker/zastava/2025-12-02/observer_event.schema.json.dsseevidence-locker/zastava/2025-12-02/webhook_admission.schema.json.dsseevidence-locker/zastava/2025-12-02/thresholds.yaml.dsseevidence-locker/zastava/2025-12-02/observer_events.ndjson.dsseevidence-locker/zastava/2025-12-02/webhook_admissions.ndjson.dsseevidence-locker/zastava/2025-12-02/zastava-kit.tzstevidence-locker/zastava/2025-12-02/zastava-kit.tzst.dsseevidence-locker/zastava/2025-12-02/SHA256SUMS
Local staging: all files above are present under evidence-locker/zastava/2025-12-02/ in the repo root, ready for locker upload/mirroring.
CI delivery note
- Locker upload in CI requires a write credential (e.g.,
CI_EVIDENCE_LOCKER_TOKEN) with access to theevidence-locker/zastava/namespace. - If the secret is absent, perform a manual upload from the staged folder and record the locker URI in the sprint log.
Signing template (Python, ed25519)
python - <<'PY'
from pathlib import Path
from base64 import urlsafe_b64encode
import json
from cryptography.hazmat.primitives.asymmetric import ed25519
from cryptography.hazmat.primitives import serialization
priv = serialization.load_pem_private_key(Path('/tmp/zastava-ed25519.key').read_bytes(), password=None)
pub = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw)
keyid = urlsafe_b64encode(pub).decode().rstrip('=')
pt = '<payload-type>'
payload = Path('<file-to-sign>').read_bytes()
pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt.encode(), str(len(payload)).encode(), payload])
sig = priv.sign(pae)
env = {
'payloadType': pt,
'payload': urlsafe_b64encode(payload).decode().rstrip('='),
'signatures': [{'keyid': keyid, 'sig': urlsafe_b64encode(sig).decode().rstrip('=')}],
}
Path('<file-to-sign>.dsse').write_text(json.dumps(env, indent=2, sort_keys=True) + '\n')
print('signed', '<file-to-sign>', 'with keyid', keyid)
PY
Post-sign checklist
- Run
kit/verify.shto validate hashes + DSSE. - Upload artefacts + DSSEs + SHA256SUMS to the Evidence Locker paths above.
- Record URIs in sprint 0144 Decisions & Risks and mark ZASTAVA-SCHEMAS-0001 / ZASTAVA-THRESHOLDS-0001 / ZASTAVA-KIT-0001 as DONE.