stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
8768c27f30d4849b4f983ee6121d710c5eba9992
git.stella-ops.org/docs/modules/signals/evidence/README.md
StellaOps Bot 8768c27f30
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / sign-signals-artifacts (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / verify-signatures (push) Has been cancelled
Details
Add signal contracts for reachability, exploitability, trust, and unknown symbols 
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.
2025-12-05 00:27:00 +02:00

3.0 KiB
Raw Blame History

Signals DSSE Evidence Staging (runtime/signals gaps)

Artifacts prepared 2025-12-01 (UTC) for DSSE signing and Evidence Locker ingest:

Artifact Path Predicate
Decay config docs/modules/signals/decay/confidence_decay_config.yaml stella.ops/confidenceDecayConfig@v1
Unknowns manifest docs/modules/signals/unknowns/unknowns_scoring_manifest.json stella.ops/unknownsScoringManifest@v1
Heuristics catalog docs/modules/signals/heuristics/heuristics.catalog.json stella.ops/heuristicCatalog@v1
Checksums docs/modules/signals/SHA256SUMS

CI Automated Signing

The .gitea/workflows/signals-dsse-sign.yml workflow automates DSSE signing.

Prerequisites (CI Secrets)

Secret Description
COSIGN_PRIVATE_KEY_B64 Base64-encoded cosign private key (required for production)
COSIGN_PASSWORD Password for encrypted key (if applicable)
CI_EVIDENCE_LOCKER_TOKEN Token for Evidence Locker push (optional)

Trigger

  • Automatic: Push to main affecting docs/modules/signals/** or tools/cosign/sign-signals.sh
  • Manual: Workflow dispatch with allow_dev_key=1 for testing

Output

Signed artifacts uploaded as workflow artifact signals-dsse-signed-{run} and optionally pushed to Evidence Locker.

Development Signing (Local Testing)

A development key pair is available for smoke tests:

# Sign with dev key
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
  OUT_DIR=docs/modules/signals/dev-test \
  tools/cosign/sign-signals.sh

# Verify signature
cosign verify-blob \
  --key tools/cosign/cosign.dev.pub \
  --bundle docs/modules/signals/dev-test/confidence_decay_config.sigstore.json \
  docs/modules/signals/decay/confidence_decay_config.yaml

Note: Dev key signatures are NOT suitable for Evidence Locker or production use.

Production Signing (Manual)

For production signing without CI:

# Option 1: Place key file
cp /path/to/production.key tools/cosign/cosign.key
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh

# Option 2: Use base64 env var
export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0)
export COSIGN_PASSWORD=your-password
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh

Evidence Locker Paths

Post-signing, artifacts go to:

  • evidence-locker/signals/2025-12-01/confidence_decay_config.sigstore.json
  • evidence-locker/signals/2025-12-01/unknowns_scoring_manifest.sigstore.json
  • evidence-locker/signals/2025-12-01/heuristics_catalog.sigstore.json
  • evidence-locker/signals/2025-12-01/SHA256SUMS

Post-Signing Checklist

  1. Verify signatures against public key
  2. Update sprint tracker (SPRINT_0140) Delivery Tracker rows 57
  3. Add signer ID to Execution Log
  4. Copy to offline kit bundle for air-gap parity

Notes

  • All timestamps use UTC ISO-8601 format
  • Signatures disable tlog upload (--tlog-upload=false) for offline compatibility
  • See tools/cosign/README.md for detailed key management and CI setup