53508ceccb
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented RecordingLogger and RecordingLoggerFactory for capturing log entries in tests. - Added unit tests for InMemoryChannel, covering constructor behavior, property assignments, channel communication, and disposal. - Created InMemoryTransportOptionsTests to validate default values and customizable options for InMemory transport. - Developed RabbitMqFrameProtocolTests to ensure correct parsing and property creation for RabbitMQ frames. - Added RabbitMqTransportOptionsTests to verify default settings and customization options for RabbitMQ transport. - Updated project files for testing libraries and dependencies.
3.2 KiB
3.2 KiB
Signals DSSE Evidence Staging (runtime/signals gaps)
Artifacts prepared 2025-12-01 (UTC) for DSSE signing and Evidence Locker ingest:
| Artifact | Path | Predicate |
|---|---|---|
| Decay config | docs/modules/signals/decay/confidence_decay_config.yaml |
stella.ops/confidenceDecayConfig@v1 |
| Unknowns manifest | docs/modules/signals/unknowns/unknowns_scoring_manifest.json |
stella.ops/unknownsScoringManifest@v1 |
| Heuristics catalog | docs/modules/signals/heuristics/heuristics.catalog.json |
stella.ops/heuristicCatalog@v1 |
| Checksums | docs/modules/signals/SHA256SUMS |
— |
CI Automated Signing
The .gitea/workflows/signals-dsse-sign.yml workflow automates DSSE signing.
Prerequisites (CI Secrets)
| Secret | Description |
|---|---|
COSIGN_PRIVATE_KEY_B64 |
Base64-encoded cosign private key (required for production) |
COSIGN_PASSWORD |
Password for encrypted key (if applicable) |
CI_EVIDENCE_LOCKER_TOKEN |
Token for Evidence Locker push (optional) |
Trigger
- Automatic: Push to
mainaffectingdocs/modules/signals/**ortools/cosign/sign-signals.sh - Manual: Workflow dispatch with
allow_dev_key=1for testing
Output
Signed artifacts uploaded as workflow artifact signals-dsse-signed-{run} and optionally pushed to Evidence Locker.
Development Signing (Local Testing)
A development key pair is available for smoke tests. Recent dev bundles live under docs/modules/signals/dev-smoke/2025-12-04/ and docs/modules/signals/dev-smoke/2025-12-05/.
# Sign with dev key
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
OUT_DIR=docs/modules/signals/dev-smoke/2025-12-05 \
tools/cosign/sign-signals.sh
# Verify signature
cosign verify-blob \
--key tools/cosign/cosign.dev.pub \
--bundle docs/modules/signals/dev-smoke/2025-12-05/confidence_decay_config.sigstore.json \
docs/modules/signals/decay/confidence_decay_config.yaml
Note: Dev key signatures are NOT suitable for Evidence Locker or production use; tlog upload is disabled.
Production Signing (Manual)
For production signing without CI:
# Option 1: Place key file
cp /path/to/production.key tools/cosign/cosign.key
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
# Option 2: Use base64 env var
export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0)
export COSIGN_PASSWORD=your-password
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
Evidence Locker Paths
Post-signing, artifacts go to:
evidence-locker/signals/2025-12-01/confidence_decay_config.sigstore.jsonevidence-locker/signals/2025-12-01/unknowns_scoring_manifest.sigstore.jsonevidence-locker/signals/2025-12-01/heuristics_catalog.sigstore.jsonevidence-locker/signals/2025-12-01/SHA256SUMS
Post-Signing Checklist
- Verify signatures against public key
- Update sprint tracker (SPRINT_0140) Delivery Tracker rows 5–7
- Add signer ID to Execution Log
- Copy to offline kit bundle for air-gap parity
Notes
- All timestamps use UTC ISO-8601 format
- Signatures disable tlog upload (
--tlog-upload=false) for offline compatibility - See
tools/cosign/README.mdfor detailed key management and CI setup