49922dff5a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Risk Bundle CI / publish-checksums (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
2.3 KiB
2.3 KiB
Mirror DSSE Revision — MIRROR-DSSE-REV-1501
Date: 2025-11-24 Owners: Mirror Creator Guild · Security Guild · Evidence Locker Guild Scope: Finalize DSSE layout and signing inputs for mirror bundles and time-anchor receipts used by Excititor/ExportCenter/CLI.
Decisions
- Envelope & payload: Use DSSE with payload type
application/vnd.stellaops.mirror+json;version=1. Payload contains deterministic manifest of mirror files (mirror.json) plusSHA256SUMSandSHA256SUMS.dssereferences. - Canonical ordering: Manifest entries sorted lexicographically by
path; hashes are lower-case hex; timestamps in ISO-8601 UTC; no optional fields when empty. - Signing keys: Ed25519 signing using key ref
mirror-root-ed25519-01; key distribution via offline bundlekeys/mirror-root.pub. Rekor transparency optional; when present, includerekorUUIDandrekorUrlfields. - Headers: DSSE header carries
issuer,keyid,created(UTC), andpurpose=mirror-bundle. Detached header file stored atmirror/metadata/mirror.dsse.jsonto allow verification without payload extraction. - Verification rules: Accept signatures that validate against configured keyring and match manifest hash; reject if payload hash mismatch or header
purposenotmirror-bundle.
Artefacts
- Sample manifest + DSSE:
out/mirror/thin/mirror-thin-m0-sample.tar.gz(existing) with new DSSE header example atdocs/samples/mirror/m0-sample/mirror.dsse.json(hash: TBD by pipeline). - Key reference:
docs/samples/mirror/mirror-root-ed25519-01.pub(fingerprint documented in manifest header).
Actions
- Mirror Creator Guild to regenerate milestone bundle with DSSE header once export center schema aligns; publish hashes to
SHA256SUMS.dsse. - Evidence Locker Guild to accept DSSE headers as proof input for portable bundles; update attestation contract to reference
purpose=mirror-bundle. - Security Guild to register
mirror-root-ed25519-01in key registry and rotate quarterly; add Rekor inclusion proof when online.
Risks/Notes
- Rekor optional path remains; offline installs skip transparency but must store DSSE header. If Rekor UUID missing, CLI should warn but continue with local verification.
- Pending alignment with Export Center manifest v1.1; track deltas in future update if schema changes.