stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6f8ee8aacb6985328882ed5622ca769659ecbb6a
git.stella-ops.org/docs/examples/binary-diff/dsse-attestation.md
master d7be6ba34b audit, advisories and doctors/setup work
2026-01-13 18:53:39 +02:00

45 lines
981 B
Markdown
Raw Blame History

# DSSE Attestation
This example shows how to emit DSSE envelopes from `stella scan diff` and verify them.
## Generate DSSE Output
```bash
stella scan diff \
--base docker://registry.example.com/myapp:1.0.0 \
--target docker://registry.example.com/myapp:1.0.1 \
--mode=elf \
--emit-dsse=./attestations \
--signing-key=./keys/binarydiff.pem
```
Output files:
```
attestations/
linux-amd64-binarydiff.dsse.json
linux-amd64-binarydiff.payload.json
```
## Attach Attestation
```bash
stella attest attach \
--image docker://registry.example.com/myapp:1.0.1 \
--attestation ./attestations/linux-amd64-binarydiff.dsse.json
```
## Verify with Cosign
```bash
cosign verify-attestation \
--type stellaops.binarydiff.v1 \
--key ./keys/binarydiff.pub \
docker://registry.example.com/myapp:1.0.1
```
## Notes
- DSSE signing requires an ECDSA private key (P-256/384/521) in PEM format.
- If the image is multi-arch, specify `--platform` to select the manifest.
Reference in New Issue View Git Blame Copy Permalink