git.stella-ops.org/docs/modules/zastava/kit

Zastava Kit (offline bundle)

Contents

• Schemas + DSSE: schemas/observer_event.schema.json(.dsse), schemas/webhook_admission.schema.json(.dsse).
• Examples: schemas/examples/*.json (canonicalised, hashed).
• Thresholds + DSSE: thresholds.yaml(.dsse).
• Exports + DSSE: exports/observer_events.ndjson(.dsse), exports/webhook_admissions.ndjson(.dsse).
• Verification assets: SHA256SUMS, kit/verify.sh, kit/ed25519.pub, schemas/README.md, evidence/README.md.

Build (deterministic)

From docs/modules/zastava:

tar --mtime @0 --owner 0 --group 0 --numeric-owner --sort=name \
  -cf - \
  SHA256SUMS schemas exports thresholds.yaml thresholds.yaml.dsse \
  schemas/examples schemas/README.md \
  schemas/observer_event.schema.json schemas/observer_event.schema.json.dsse \
  schemas/webhook_admission.schema.json schemas/webhook_admission.schema.json.dsse \
  exports/observer_events.ndjson exports/observer_events.ndjson.dsse \
  exports/webhook_admissions.ndjson exports/webhook_admissions.ndjson.dsse \
  evidence/README.md kit/README.md kit/verify.sh kit/ed25519.pub \
| zstd -19 --long=27 --no-progress > kit/zastava-kit.tzst

Sign the kit itself with the same Ed25519 key (base64url pub: mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc):

python - <<'PY'
from pathlib import Path
from base64 import urlsafe_b64encode
import json
from cryptography.hazmat.primitives.asymmetric import ed25519
from cryptography.hazmat.primitives import serialization

priv = serialization.load_pem_private_key(Path('/tmp/zastava-ed25519.key').read_bytes(), password=None)
pub = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw)
keyid = urlsafe_b64encode(pub).decode().rstrip('=')
pt = 'application/vnd.stellaops.zastava.kit+tzst;version=1'
payload = Path('kit/zastava-kit.tzst').read_bytes()
pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt.encode(), str(len(payload)).encode(), payload])
sig = priv.sign(pae)
env = {
    'payloadType': pt,
    'payload': urlsafe_b64encode(payload).decode().rstrip('='),
    'signatures': [{'keyid': keyid, 'sig': urlsafe_b64encode(sig).decode().rstrip('=')}],
}
Path('kit/zastava-kit.tzst.dsse').write_text(json.dumps(env, indent=2, sort_keys=True) + '\n')
print('wrote kit/zastava-kit.tzst.dsse with keyid', keyid)
PY

Verify

1. Verify the kit DSSE before unpacking (optional but recommended) using the public key shipped alongside the kit (run from docs/modules/zastava):

cd docs/modules/zastava
python - <<'PY'
import base64, json, sys
from pathlib import Path
from cryptography.hazmat.primitives.asymmetric import ed25519

root = Path('.')
pub = base64.urlsafe_b64decode((root / 'kit' / 'ed25519.pub').read_text().strip() + '==')
env = json.loads((root / 'kit' / 'zastava-kit.tzst.dsse').read_text())
payload = (root / 'kit' / 'zastava-kit.tzst').read_bytes()
pt = env['payloadType'].encode()
pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt, str(len(payload)).encode(), payload])
sig = base64.urlsafe_b64decode(env['signatures'][0]['sig'] + '==')
ed25519.Ed25519PublicKey.from_public_bytes(pub).verify(sig, pae)
decoded_payload = base64.urlsafe_b64decode(env['payload'] + '==')
assert decoded_payload == payload
print('OK: kit DSSE verified')
PY

2. Extract and run offline validation of the inner artefacts:

zstd -d kit/zastava-kit.tzst -c | tar -xf -
./kit/verify.sh

Notes

• Private signing key is held offline; only the public key is shipped.
• All files are deterministic (mtime=0, numeric owners) to keep hashes stable for Evidence Locker ingestion.