42 lines
2.6 KiB
Markdown
42 lines
2.6 KiB
Markdown
# Signature Required Policy Gate (SignatureRequiredGate)
|
|
|
|
## Module
|
|
Policy
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Policy gate requiring valid cryptographic signatures on release artifacts before promotion, with configurable signing key allowlists, certificate chain validation, and Rekor inclusion proof requirements.
|
|
|
|
## Implementation Details
|
|
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
|
|
- Evidence Completeness gate (first in pipeline) verifies signature presence
|
|
- Signature requirements configurable per environment
|
|
- Gate result types: Pass (valid signature), Block (missing/invalid signature)
|
|
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs`
|
|
- `RequireIssuerVerified` per-environment: production=true, staging=true, development=false
|
|
- Issuer signature verification as part of VEX trust evaluation
|
|
- **VexTrustGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs`
|
|
- Per-environment signing requirements (RequireIssuerVerified flag)
|
|
- FailureAction: Warn or Block when signature verification fails
|
|
- **EvidenceRequirementValidator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs`
|
|
- DSSE signature verification for evidence attestations
|
|
- Validates signed evidence meets trust requirements
|
|
- **VerdictAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs`
|
|
- DSSE-signed verdict attestations with certificate chain
|
|
- **KnowledgeSnapshotManifest**: `src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs`
|
|
- TrustBundleRef (BundleId, Digest, Uri) for trust anchor set
|
|
- Signature field on manifest for optional DSSE signing
|
|
|
|
## E2E Test Plan
|
|
- [ ] Evaluate artifact with valid signature from allowed key; verify gate passes
|
|
- [ ] Evaluate artifact without signature; verify gate blocks with "missing signature" message
|
|
- [ ] Evaluate artifact with signature from key not in allowlist; verify gate blocks
|
|
- [ ] Configure environment requiring issuer verification; provide unverified issuer; verify gate blocks
|
|
- [ ] Configure environment not requiring issuer verification (development); provide unsigned VEX; verify gate passes
|
|
- [ ] Evaluate artifact with expired certificate; verify gate blocks with certificate validation error
|
|
- [ ] Verify DSSE envelope structure on verdict attestation includes valid signature
|
|
- [ ] Verify TrustBundleRef in KnowledgeSnapshotManifest references correct trust anchor set
|
|
- [ ] Verify EvidenceRequirementValidator validates DSSE signature on evidence attestation
|