37 lines
1.5 KiB
Markdown
37 lines
1.5 KiB
Markdown
# Trust Profiles
|
|
|
|
Trust profiles are offline trust-store templates for bundle verification. They define trust roots, Rekor public keys, and TSA roots in a single file so operators can apply a profile into a local trust store.
|
|
|
|
Default profile location:
|
|
- `etc/trust-profiles/*.trustprofile.json`
|
|
- Assets referenced by profiles live under `etc/trust-profiles/assets/`
|
|
|
|
Profile structure (summary):
|
|
- `profileId`: stable identifier (used by CLI commands)
|
|
- `trustRoots[]`: signing trust roots (PEM files)
|
|
- `rekorKeys[]`: Rekor public keys for offline inclusion proof verification
|
|
- `tsaRoots[]`: TSA roots for RFC3161 verification
|
|
- `metadata`: optional compliance metadata
|
|
|
|
CLI usage:
|
|
- `stella trust-profile list`
|
|
- `stella trust-profile show <profile-id>`
|
|
- `stella trust-profile apply <profile-id> --output <dir>`
|
|
|
|
Profile lookup overrides:
|
|
- `--profiles-dir <path>` to point at a custom profiles directory
|
|
- `STELLAOPS_TRUST_PROFILES` environment variable for default lookup
|
|
|
|
Apply output:
|
|
- `trust-manifest.json` (trust roots manifest for offline verification)
|
|
- `trust-profile.json` (resolved profile copy)
|
|
- `trust-root.pem` (combined trust roots for CLI verification)
|
|
- `trust-roots/`, `rekor/`, `tsa/` folders with PEM assets
|
|
|
|
Example apply workflow:
|
|
1. `stella trust-profile apply global --output ./trust-store`
|
|
2. `stella bundle verify --trust-root ./trust-store/trust-root.pem`
|
|
|
|
Note:
|
|
- Default profiles ship with placeholder roots for scaffolding only. Replace them with compliance-approved roots before production use.
|