4.4 KiB
Runbook: Attestor - Attestation Verification Failures
Sprint: SPRINT_20260117_029_DOCS_runbook_coverage Task: RUN-005 - Attestor Runbooks
Metadata
| Field | Value |
|---|---|
| Component | Attestor |
| Severity | High |
| On-call scope | Platform team, Security team |
| Last updated | 2026-01-17 |
| Doctor check | check.attestor.verification-health |
Symptoms
- Attestation verification failing
- Alert
AttestorVerificationFailedfiring - Error: "signature verification failed" or "invalid attestation"
- Promotions blocked due to failed verification
- Error: "trust anchor not found" or "certificate chain invalid"
Impact
| Impact Type | Description |
|---|---|
| User-facing | Artifacts cannot be promoted; release blocked |
| Data integrity | May indicate tampered attestation or configuration issue |
| SLA impact | Release pipeline blocked until resolved |
Diagnosis
Quick checks
-
Check Doctor diagnostics:
stella doctor --check check.attestor.verification-health -
Verify specific attestation:
stella verify attestation --attestation <attestation-id> --verbose -
Check trust anchors:
stella trust-anchors list
Deep diagnosis
-
Check attestation details:
stella attest show <attestation-id> --detailsLook for: Signer identity, timestamp, subject
-
Verify certificate chain:
stella verify cert-chain --attestation <attestation-id>Problem if: Intermediate cert missing, root not trusted
-
Check public key availability:
stella keys show <key-id> --public -
Check if issuer is trusted:
stella issuer trust-status <issuer-id>
Resolution
Immediate mitigation
-
If trust anchor missing, add it:
stella trust-anchors add --cert <issuer-cert.pem> -
If intermediate cert missing:
stella trust-anchors add-intermediate --cert <intermediate.pem> -
Re-verify with verbose output:
stella verify attestation --attestation <attestation-id> --verbose
Root cause fix
If signature mismatch:
-
Check attestation wasn't modified:
stella attest integrity-check <attestation-id> -
If modified, regenerate attestation:
stella attest create --subject <digest> --type <type> --force
If key rotated and old key not trusted:
-
Add old public key to trust anchors:
stella trust-anchors add-key --key <old-key.pem> --expires <date> -
Or fetch from issuer directory:
stella issuer keys fetch <issuer-id>
If certificate expired:
-
Check certificate validity:
stella verify cert --attestation <attestation-id> --show-expiry -
Re-sign with valid certificate:
stella attest resign <attestation-id>
If issuer not trusted:
-
Verify issuer identity:
stella issuer show <issuer-id> -
Add to trusted issuers (requires approval):
stella issuer trust <issuer-id> --reason "Approved by security team"
If algorithm not supported:
-
Check algorithm:
stella attest show <attestation-id> | grep algorithm -
Verify crypto provider supports algorithm:
stella crypto providers list --algorithms
Verification
# Verify attestation
stella verify attestation --attestation <attestation-id>
# Verify trust chain
stella verify cert-chain --attestation <attestation-id>
# Test end-to-end verification
stella verify artifact --digest <digest>
# Check no verification errors
stella attest logs --filter "verification" --level error --last 30m
Prevention
- Trust anchors: Keep trust anchor list current with all valid issuer certs
- Key rotation: Plan key rotation with overlap period for verification continuity
- Monitoring: Alert on verification failure rate > 0
- Testing: Include verification tests in release pipeline
Related Resources
- Architecture:
docs/modules/attestor/verification.md - Related runbooks:
attestor-signing-failed.md,attestor-key-expired.md - Trust management:
docs/operations/trust-anchors.md