stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7792749bb4a681e130821b4526912f8181ba2168
git.stella-ops.org/docs/product-advisories/25-Dec-2025 - Planning Keyless Signing for Verdicts.md
StellaOps Bot 7792749bb4 feat: Add archived advisories and implement smart-diff as a core evidence primitive 
- Introduced new advisory documents for archived superseded advisories, including detailed descriptions of features already implemented or covered by existing sprints.
- Added "Smart-Diff as a Core Evidence Primitive" advisory outlining the treatment of SBOM diffs as first-class evidence objects, enhancing vulnerability verdicts with deterministic replayability.
- Created "Visual Diffs for Explainable Triage" advisory to improve user experience in understanding policy decisions and reachability changes through visual diffs.
- Implemented "Weighted Confidence for VEX Sources" advisory to rank conflicting vulnerability evidence based on freshness and confidence, facilitating better decision-making.
- Established a signer module charter detailing the mission, expectations, key components, and signing modes for cryptographic signing services in StellaOps.
- Consolidated overlapping concepts from triage UI, visual diffs, and risk budget visualization advisories into a unified specification for better clarity and implementation tracking.
2025-12-26 13:01:43 +02:00

5.3 KiB
Raw Blame History

Planning Keyless Signing for Verdicts

Status: PLANNED — Implementation sprints created Date: 2025-12-25 Updated: 2025-12-26 Related: Extends 25-Dec-2025 - Building a Deterministic Verdict Engine.md

Implementation Sprints

This advisory has been decomposed into the following implementation sprints:

Sprint Module Topic Priority
SPRINT_20251226_001_SIGNER_fulcio_keyless_client.md Signer Fulcio keyless signing client P0
SPRINT_20251226_002_ATTESTOR_bundle_rotation.md Attestor Monthly bundle rotation P1
SPRINT_20251226_003_ATTESTOR_offline_verification.md Attestor Offline/air-gap verification P2
SPRINT_20251226_004_BE_cicd_signing_templates.md Backend CI/CD integration templates P2

Total Tasks: 98 across 4 sprints

Documentation Created

Advisory Content

Here's a practical, lowfriction way to modernize how you sign and verify build "verdicts" in CI/CD using Sigstore—no longlived keys, offlinefriendly, and easy to audit.

1) Use keyless signing in CI

  • In your pipeline, obtain an OIDC token (from your CI runner) and let Fulcio issue a shortlived X.509 codesigning cert (~10 minutes). You sign with the ephemeral key; cert + signature are logged to Rekor. (Sigstore Blog)

Why: no key escrow in CI, nothing persistent to steal, and every signature is timebound + transparencylogged.

2) Keep one hardwarebacked org key only for special cases

  • Reserve a physical HSM/YubiKey (or KMS) key for: a) resigning monthly bundles (see §4), and b) offline/airgapped verification workflows where a trust anchor is needed. Cosign supports disconnected/offline verification patterns and mirroring the proof data. (Sigstore)

3) Make “verdicts” firstclass OCI attestations

  • Emit DSSE/attestations (SBOM deltas, reachability graphs, policy results) as OCIattached artifacts and sign them with keyless in CI. (Cosign is designed to sign/verify arbitrary OCI artifacts alongside images.) (Artifact Hub)

4) Publish a rotation & refresh policy

  • Every month, collect older attestations and resign into a longlived “bundle” (plus timestamps) using the org key. This keeps proofs verifiable over years—even if the 10minute certs expire—because the bundle contains the cert chain, Rekor inclusion proof, and timestamps suitable for offline verification. (Trustification)

Suggested SLOs

  • CI keyless cert TTL: 10 minutes (Fulcio default). (Sigstore)
  • Bundle cadence: monthly (or per release); retain N=24 months.

5) Offline / airgapped verification

  • Mirror the image + attestation + Rekor proof (or bundle) into the disconnected registry. Verify with cosign verify using the mirrored materials—no internet needed. (Multiple guides show fully disconnected OpenShift/airgapped flows.) (Red Hat Developer)

6) Address common concerns (“myths”)

  • “Shortlived certs will break verification later.” → They dont: you verify against the Rekor proof/bundle, not live cert validity. (Trustification)
  • “Keyless means less security.” → The opposite: no static secrets in CI; certs expire in ~10 minutes; identity bound via OIDC and logged. (Chainguard)

Minimal rollout checklist

  • Enable OIDC on your CI runners; test cosign sign --identity-token ...
  • Enforce identity/issuer in policy: --certificate-identity + --certificate-oidc-issuer at verify time. (Sigstore)
  • Set up a monthly job to build Sigstore bundles from past attestations and resign with the org key. (Trustification)
  • For offline sites: mirror images + attestations + bundles; verify with cosign verify entirely offline. (Red Hat Developer)

Want me to draft the exact cosign commands and a GitLab/GitHub Actions snippet for your StellaOps pipelines (keyless sign, verify gates, monthly bundling, and an offline verification playbook)?