stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
79b8e53441e92dbc63684f42072434d40b80275f
git.stella-ops.org/docs/modules/evidence-locker/attestation-contract.md
master 79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add new features and tests for AirGap and Time modules 
- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
2025-11-20 23:29:54 +02:00

2.4 KiB
Raw Blame History

Evidence Locker Attestation Contract (v1 · frozen 2025-11-20)

Scope: Evidence Bundle v1 produced by Evidence Locker and consumed by Concelier, Excititor, Export Center, CLI, and Policy Engine.

Predicates & subjects

  • Subject: OCI manifest digest (sha256:<digest>) of the bundle, plus optional replay pack digest.
  • Predicates (DSSE/In-Toto)
    • stellaops.evidence.bundle.v1: declares bundle layout (manifests, CAS paths, replay log offsets).
    • stellaops.evidence.transparency.v1: optional Rekor log inclusion proof (UUID, log index, root hash at inclusion).
    • stellaops.evidence.integrity.v1: hashes for each payload (SBOMs, VEX, policy packs, telemetry snapshots), keyed by logical path.

Required claim set

  • bundle_id (UUID v4)
  • produced_at (UTC ISO-8601)
  • producer (evidence-locker:<region>)
  • subject_digest (OCI digest string)
  • hashes (map: logical path → sha256)
  • sbom (array of SPDX/CycloneDX digests and mediaTypes)
  • vex (array of VEX doc digests and schema versions)
  • replay_manifest (optional; digest + sequence number)
  • transparency (optional; Rekor UUID, logIndex, rootHash)
  • signing_profile (sovereign-default | fips | gost | pq-experimental)

Bundling & signing rules

  • DSSE envelope using the modules configured crypto provider; keys must be short-lived (<24h) and recorded in provider registry.
  • Hash list and subject digest MUST match the on-disk CAS objects; deterministic sort by logical path.
  • Rekor entry is optional; when absent, set transparency=null and add transparency_reason="offline" to provenance note.

Verification plan

  • Verify DSSE signature against provider registry (per profile) and check key expiry.
  • Recompute sha256 for every CAS object; fail if any mismatch.
  • If transparency present, verify inclusion proof against bundled Rekor root; fail closed on mismatch.
  • Emit verification report JSON and store beside bundle as verify.json (deterministic key order).

Fixtures

  • Sample bundle + report: docs/samples/evidence-locker/bundle-v1-sample.tar.gz (sha256 TBD at publish time).
  • Sample attestation envelope: docs/samples/evidence-locker/attestation-v1-sample.json.

Ownership

  • Primary: Evidence Locker Guild.
  • Reviewers: Concelier Core Guild, Excititor Guild, Export Center Guild, Policy Guild.

This contract is authoritative for Sprint 110 and blocks CONCELIER-ATTEST-73-001/002 and EXCITITOR-ATTEST-01-003/73-001/73-002.