stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
6bee1fdcf58fe6c2fd8dae6201f5f71eb504710f
git.stella-ops.org/docs/modules/signer
History
master 2de8d1784b
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
new advisories
2025-11-23 23:38:25 +02:00
..
AGENTS.md
new advisories
2025-11-23 23:38:25 +02:00
architecture.md
feat(scanner): Implement Deno analyzer and associated tests
2025-11-12 10:01:54 +02:00
implementation_plan.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
README.md
feat: Implement approvals workflow and notifications integration
2025-11-06 08:48:13 +02:00

README.md

StellaOps Signer

Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports.

Latest updates (Sprint 11 · 2025-10-21)

  • /sign/dsse pipeline landed with Authority OpTok + PoE enforcement, Fulcio/KMS signing modes, and deterministic DSSE bundles ready for Attestor logging.
  • /verify/referrers endpoint exposes release-integrity checks against scanner OCI referrers so callers can confirm digests before requesting signatures.
  • Plan quota enforcement (QPS/concurrency/artifact size) and audit/metrics wiring now align with the Sprint11 signing-chain release.

Responsibilities

  • Enforce Proof-of-Entitlement and plan quotas before signing artifacts.
  • Support keyless (Fulcio) and keyful (KMS/HSM) signing backends.
  • Verify scanner release integrity via OCI referrers prior to issuing signatures.
  • Emit DSSE payloads consumed by Attestor/Export Center and maintain comprehensive audit trails.

Key components

  • StellaOps.Signer service host.
  • Crypto providers under StellaOps.Cryptography.*.

Integrations & dependencies

  • Authority for OpTok + PoE validation.
  • Licensing Service for entitlement introspection.
  • OCI registries (Referrers API) for scanner release verification.
  • Attestor for transparency logging and Rekor ingestion.
  • Export Center and CLI for artifact signing flows.

API quick reference

  • POST /api/v1/signer/sign/dsse — validate OpTok/PoE, enforce quotas, return DSSE bundle with signing identity metadata.
  • GET /api/v1/signer/verify/referrers — report scanner release signer and trust verdict for a supplied image digest.

Operational notes

  • Key management via Authority/DevOps runbooks.
  • Metrics for signing latency/throttle states.
  • Offline kit integration for signature verification.

Backlog references

  • SIG docs/tasks in ../../TASKS.md (e.g., DOCS-SIG-26-006).

Epic alignment

  • Epic 10 Export Center: provide signing pipelines, cosign interoperability, and provenance manifests for bundle promotion.
  • Epic 19 Attestor Console: supply DSSE payloads and Proof-of-Entitlement enforcement feeding attestation workflows described in docs/modules/attestor/.