git.stella-ops.org/docs/modules/attestor/guides/offline-verification.md

Attestor Offline Verification Guide

Audience: Attestor operators, AirGap owners, CI/Release engineers

Purpose: Explain how to verify attestations and timestamp evidence in fully offline environments.

1. Offline Inputs

Offline verification expects all evidence to be bundled locally:

• DSSE envelopes + certificate chains.
• Rekor inclusion proofs + a pinned checkpoint.
• RFC3161 timestamp evidence with bundled TSA chain and revocation data:
  • tsa/chain/ (PEM certificates, leaf -> root)
  • tsa/ocsp/ (stapled OCSP responses)
  • tsa/crl/ (CRL snapshots when OCSP is unavailable)

2. Bundle Layout Expectations

Minimum paths for timestamp verification:

• manifest.json with timestamps[] entries.
• tsa/chain/*.pem for each RFC3161 timestamp.
• tsa/ocsp/*.der or tsa/crl/*.crl (revocation evidence).

3. CLI Workflow (Offline)

Use the bundle verification flow aligned to domain operations:

stella bundle verify --bundle /path/to/bundle --offline --trust-root /path/to/tsa-root.pem --rekor-checkpoint /path/to/checkpoint.json
stella bundle verify --bundle /path/to/bundle --offline --signer /path/to/report-key.pem --signer-cert /path/to/report-cert.pem

Notes:

• Offline mode fails closed when revocation evidence is missing or invalid.
• Trust roots must be provided locally; no network fetches are allowed.
• When --signer is set, a DSSE report is written to out/verification.report.json.
• Signed report metadata includes verifier.algo, verifier.cert, signed_at.

4. Verification Behavior

• TSA chain is validated against the provided trust roots.
• Revocation evidence is verified using bundled OCSP/CRL data.
• Rekor proofs are verified against the pinned checkpoint when provided.

5. References

• docs/modules/attestor/guides/timestamp-policy.md
• docs/modules/attestor/airgap.md
• docs/modules/airgap/guides/staleness-and-time.md