stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
6bee1fdcf58fe6c2fd8dae6201f5f71eb504710f
git.stella-ops.org/docs/modules/evidence-locker/attestation-contract.md
master 79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add new features and tests for AirGap and Time modules 
- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
2025-11-20 23:29:54 +02:00

44 lines
2.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Evidence Locker Attestation Contract (v1 · frozen 2025-11-20)
Scope: Evidence Bundle v1 produced by Evidence Locker and consumed by Concelier, Excititor, Export Center, CLI, and Policy Engine.
## Predicates & subjects
- **Subject**: OCI manifest digest (`sha256:<digest>`) of the bundle, plus optional replay pack digest.
- **Predicates (DSSE/In-Toto)**
- `stellaops.evidence.bundle.v1`: declares bundle layout (manifests, CAS paths, replay log offsets).
- `stellaops.evidence.transparency.v1`: optional Rekor log inclusion proof (UUID, log index, root hash at inclusion).
- `stellaops.evidence.integrity.v1`: hashes for each payload (SBOMs, VEX, policy packs, telemetry snapshots), keyed by logical path.
## Required claim set
- `bundle_id` (UUID v4)
- `produced_at` (UTC ISO-8601)
- `producer` (`evidence-locker:<region>`)
- `subject_digest` (OCI digest string)
- `hashes` (map: logical path → sha256)
- `sbom` (array of SPDX/CycloneDX digests and mediaTypes)
- `vex` (array of VEX doc digests and schema versions)
- `replay_manifest` (optional; digest + sequence number)
- `transparency` (optional; Rekor UUID, logIndex, rootHash)
- `signing_profile` (`sovereign-default` | `fips` | `gost` | `pq-experimental`)
## Bundling & signing rules
- DSSE envelope using the modules configured crypto provider; keys must be short-lived (<24h) and recorded in provider registry.
- Hash list and subject digest MUST match the on-disk CAS objects; deterministic sort by logical path.
- Rekor entry is optional; when absent, set `transparency=null` and add `transparency_reason="offline"` to provenance note.
## Verification plan
- Verify DSSE signature against provider registry (per profile) and check key expiry.
- Recompute sha256 for every CAS object; fail if any mismatch.
- If `transparency` present, verify inclusion proof against bundled Rekor root; fail closed on mismatch.
- Emit verification report JSON and store beside bundle as `verify.json` (deterministic key order).
## Fixtures
- Sample bundle + report: `docs/samples/evidence-locker/bundle-v1-sample.tar.gz` (sha256 TBD at publish time).
- Sample attestation envelope: `docs/samples/evidence-locker/attestation-v1-sample.json`.
## Ownership
- Primary: Evidence Locker Guild.
- Reviewers: Concelier Core Guild, Excititor Guild, Export Center Guild, Policy Guild.
This contract is authoritative for Sprint 110 and blocks CONCELIER-ATTEST-73-001/002 and EXCITITOR-ATTEST-01-003/73-001/73-002.
Reference in New Issue View Git Blame Copy Permalink