git.stella-ops.org/docs/modules/mirror/dsse-tuf-profile.md

DSSE/TUF profile for Mirror thin bundles (v1 draft)

Applies to mirror-thin-v1.* artefacts in out/mirror/thin/.

Keys

• Signing algorithm: ed25519
• Key IDs: mirror-ed25519-test-1
• Storage: keep private key only in sealed CI secret; public key published alongside metadata at out/mirror/thin/tuf/keys/mirror-ed25519-test-1.pub.

DSSE envelope

• Payload type: application/vnd.stellaops.mirror.manifest+json
• Payload: mirror-thin-v1.manifest.json
• Signature: ed25519 over base64url(payload)
• Envelope path: out/mirror/thin/mirror-thin-v1.manifest.dsse.json

TUF metadata layout

out/mirror/thin/tuf/
  root.json
  snapshot.json
  targets.json
  timestamp.json
  keys/mirror-ed25519-test-1.pub

Targets mapping

• mirror-thin-v1.tar.gz → targets entry with sha256 210dc49e8d3e25509298770a94da277aa2c9d4c387d3c24505a61fe1d7695a49
• mirror-thin-v1.manifest.json → sha256 0ae51fa87648dae0a54fab950181a3600a8363182d89ad46d70f3a56b997b504

Determinism rules

• Sort keys in JSON; indent=2; trailing newline.
• expires set to 2026-01-01T00:00:00Z for draft; update during release.
• Versions: root=1, targets=1, snapshot=1, timestamp=1 for this draft.
• Signatures should be stable; for test draft, placeholders are used until CI signing is wired.

Status & TODO to productionize

• Draft signatures now generated with repo test key (mirror-ed25519-test-1) via scripts/mirror/sign_thin_bundle.py; replace with CI-held key before release.
• CI hook: set MIRROR_SIGN_KEY_B64 (base64-encoded Ed25519 PEM) and run scripts/mirror/ci-sign.sh to build+sign+verify in one step.
• Rotate keys via TUF root role once CI secrets land.
• Add DSSE signer to assembler pipeline so make-thin-v1.sh emits envelope + TUF metadata automatically in CI.

CI integration sketch (disabled until key is provided)

- name: Mirror thin bundle (signed)
  run: |
    export MIRROR_SIGN_KEY_B64="${{ secrets.MIRROR_SIGN_KEY_B64 }}"
    export OCI=1
    scripts/mirror/ci-sign.sh
  if: ${{ secrets.MIRROR_SIGN_KEY_B64 != '' }}