stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6f8ee8aacb6985328882ed5622ca769659ecbb6a
git.stella-ops.org/docs/modules/authority/gaps/2025-12-04-rekor-receipt-gaps-rr1-rr10.md
Codex Assistant 8f0320edd5 product advisories add change contiang folder
2026-01-08 09:06:03 +02:00

3.3 KiB
Raw Blame History

Rekor Receipt Remediation · RR1RR10 (Authority/Attestor/Sbomer)

Source: docs/product/advisories/31-Nov-2025 FINDINGS.md (RR1RR10). Scope is Rekor receipt schema/catalog and offline verification path consumed by Authority + Sbomer + Attestor.

Deliverables & Evidence Map

ID Requirement Deliverable Evidence & location
RR1 DSSE/hashedrekord only Policy flag rk1_enforceDsse=true and routing to hashedrekord recorded in mirror/receipt policy. gaps/artifacts/rekor-receipt-policy.v1.json (+ DSSE).
RR2 Payload size preflight + chunks rk2_payloadMaxBytes=1048576 with chunk guidance; embed in policy. Same policy JSON (rk2 fields) + example transport-plan snippet.
RR3 Public/private routing rk3_routing map per shard/tenant documented. Policy JSON.
RR4 Shard-aware checkpoints rk4_shardCheckpoint="per-tenant-per-day" + freshness fields. Policy JSON + checklist section.
RR5 Idempotent submission keys rk5_idempotentKeys=true; include sample request header/claim mapping. Policy JSON + doc section.
RR6 Sigstore bundles in kits rk6_sigstoreBundleIncluded=true + bundle manifest entry for receipts. Policy JSON + bundle manifest path gaps/artifacts/rekor-receipt-bundle.v1.json.
RR7 Checkpoint freshness bounds rk7_checkpointFreshnessSeconds aligned with mirror/transport budgets. Policy JSON + metrics note.
RR8 PQ dual-sign options rk8_pqDualSign toggle captured with allowed algorithms. Policy JSON + crypto profile reference.
RR9 Error taxonomy/backoff rk9_errorTaxonomy and retry rules; deterministic table. gaps/rekor-receipt-error-taxonomy.md.
RR10 Policy/graph annotations rk10_annotations fields for policy hash + graph context inside receipts. Policy JSON + schema doc.

Schema & bundle layout

  • Receipt schema: gaps/artifacts/rekor-receipt.schema.json (includes required fields: tlog URL/key, checkpoint, inclusion proof, bundle hash, policy hash, client version/flags, TSA/Fulcio chain, mirror metadata, repro inputs hash).
  • Bundle manifest: gaps/artifacts/rekor-receipt-bundle.v1.json referencing schema, policy, transport plan, and sample receipts; DSSE envelope rekor-receipt-bundle.v1.sigstore.json when signed.
  • Hash index: docs/modules/authority/gaps/SHA256SUMS collects schema/policy/bundle hashes and (once signed) DSSE bundle hashes.

Action Plan

  1. Draft rekor-receipt-policy.v1.json with rk1rk10 flags and shard/routing/size constraints; keep keys sorted.
  2. Author schema rekor-receipt.schema.json with canonical field order and example; ensure inclusion proof + policy hash fields are mandatory.
  3. Add error taxonomy markdown rekor-receipt-error-taxonomy.md with deterministic table (code, classification, retry policy).
  4. Define bundle manifest rekor-receipt-bundle.v1.json (hashes will be appended to SHA256SUMS once generated) and note DSSE envelope requirement.
  5. Mirror status in sprint SPRINT_0314_0001_0001_docs_modules_authority.md (REKOR-RECEIPT-GAPS-314-005) and Authority TASKS.

Determinism & offline

  • Use sha256sum over normalized JSON and markdown; store in gaps/SHA256SUMS.
  • No network dependencies; examples should reference local bundle paths.
  • Signing to follow Authority key once available; until then envelopes remain TODO but paths are fixed.