stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6f8ee8aacb6985328882ed5622ca769659ecbb6a
git.stella-ops.org/docs/modules/cli/guides/trust-profiles.md
master 726d70dc7f tests fixes and sprints work
2026-01-22 19:08:46 +02:00

1.5 KiB
Raw Blame History

Trust Profiles

Trust profiles are offline trust-store templates for bundle verification. They define trust roots, Rekor public keys, and TSA roots in a single file so operators can apply a profile into a local trust store.

Default profile location:

  • etc/trust-profiles/*.trustprofile.json
  • Assets referenced by profiles live under etc/trust-profiles/assets/

Profile structure (summary):

  • profileId: stable identifier (used by CLI commands)
  • trustRoots[]: signing trust roots (PEM files)
  • rekorKeys[]: Rekor public keys for offline inclusion proof verification
  • tsaRoots[]: TSA roots for RFC3161 verification
  • metadata: optional compliance metadata

CLI usage:

  • stella trust-profile list
  • stella trust-profile show <profile-id>
  • stella trust-profile apply <profile-id> --output <dir>

Profile lookup overrides:

  • --profiles-dir <path> to point at a custom profiles directory
  • STELLAOPS_TRUST_PROFILES environment variable for default lookup

Apply output:

  • trust-manifest.json (trust roots manifest for offline verification)
  • trust-profile.json (resolved profile copy)
  • trust-root.pem (combined trust roots for CLI verification)
  • trust-roots/, rekor/, tsa/ folders with PEM assets

Example apply workflow:

  1. stella trust-profile apply global --output ./trust-store
  2. stella bundle verify --trust-root ./trust-store/trust-root.pem

Note:

  • Default profiles ship with placeholder roots for scaffolding only. Replace them with compliance-approved roots before production use.