stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
726d70dc7f2b82de97a62855db3ec6727cd1aeb6
git.stella-ops.org/docs/examples/binary-diff/dsse-attestation.md
master d7be6ba34b audit, advisories and doctors/setup work
2026-01-13 18:53:39 +02:00

981 B
Raw Blame History

DSSE Attestation

This example shows how to emit DSSE envelopes from stella scan diff and verify them.

Generate DSSE Output

stella scan diff \
  --base docker://registry.example.com/myapp:1.0.0 \
  --target docker://registry.example.com/myapp:1.0.1 \
  --mode=elf \
  --emit-dsse=./attestations \
  --signing-key=./keys/binarydiff.pem

Output files:

attestations/
  linux-amd64-binarydiff.dsse.json
  linux-amd64-binarydiff.payload.json

Attach Attestation

stella attest attach \
  --image docker://registry.example.com/myapp:1.0.1 \
  --attestation ./attestations/linux-amd64-binarydiff.dsse.json

Verify with Cosign

cosign verify-attestation \
  --type stellaops.binarydiff.v1 \
  --key ./keys/binarydiff.pub \
  docker://registry.example.com/myapp:1.0.1

Notes

  • DSSE signing requires an ECDSA private key (P-256/384/521) in PEM format.
  • If the image is multi-arch, specify --platform to select the manifest.