e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil. - Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt. feat: Implement ILockRepository interface and LockRepository class - Defined ILockRepository interface with methods for acquiring and releasing locks. - Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations. feat: Add SurfaceManifestPointer record for manifest pointers - Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest. feat: Create PolicySimulationInputLock and related validation logic - Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests. - Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements. test: Add unit tests for ReplayVerificationService and ReplayVerifier - Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios. - Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic. test: Implement PolicySimulationInputLockValidatorTests - Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions. chore: Add cosign key example and signing scripts - Included a placeholder cosign key example for development purposes. - Added a script for signing Signals artifacts using cosign with support for both v2 and v3. chore: Create script for uploading evidence to the evidence locker - Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
65 lines
3.4 KiB
Markdown
65 lines
3.4 KiB
Markdown
# Zastava Evidence Locker (schemas/kit)
|
|
|
|
Signed 2025-12-02 with Ed25519 key (pub base64url: `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`). Private key stored offline; all signatures use DSSEv1 pre-auth encoding.
|
|
Public key copy: `docs/modules/zastava/kit/ed25519.pub`.
|
|
|
|
## Artefacts
|
|
- `schemas/observer_event.schema.json.dsse` (payloadType `application/vnd.stellaops.zastava.schema+json;name=observer_event;version=1`)
|
|
- `schemas/webhook_admission.schema.json.dsse` (payloadType `application/vnd.stellaops.zastava.schema+json;name=webhook_admission;version=1`)
|
|
- `thresholds.yaml.dsse` (payloadType `application/vnd.stellaops.zastava.thresholds+yaml;version=1`)
|
|
- `exports/observer_events.ndjson.dsse` (payloadType `application/vnd.stellaops.zastava.observer-events+ndjson;version=1`)
|
|
- `exports/webhook_admissions.ndjson.dsse` (payloadType `application/vnd.stellaops.zastava.webhook-admissions+ndjson;version=1`)
|
|
- `kit/zastava-kit.tzst.dsse` (payloadType `application/vnd.stellaops.zastava.kit+tzst;version=1`)
|
|
|
|
## Evidence Locker targets
|
|
- `evidence-locker/zastava/2025-12-02/observer_event.schema.json.dsse`
|
|
- `evidence-locker/zastava/2025-12-02/webhook_admission.schema.json.dsse`
|
|
- `evidence-locker/zastava/2025-12-02/thresholds.yaml.dsse`
|
|
- `evidence-locker/zastava/2025-12-02/observer_events.ndjson.dsse`
|
|
- `evidence-locker/zastava/2025-12-02/webhook_admissions.ndjson.dsse`
|
|
- `evidence-locker/zastava/2025-12-02/zastava-kit.tzst`
|
|
- `evidence-locker/zastava/2025-12-02/zastava-kit.tzst.dsse`
|
|
- `evidence-locker/zastava/2025-12-02/SHA256SUMS`
|
|
|
|
Local staging: all files above are present under `evidence-locker/zastava/2025-12-02/` in the repo root, ready for locker upload/mirroring.
|
|
|
|
Helper script for manual push (expects `EVIDENCE_LOCKER_URL` and `CI_EVIDENCE_LOCKER_TOKEN`):
|
|
```bash
|
|
tools/zastava-upload-evidence.sh
|
|
```
|
|
|
|
## CI delivery note
|
|
- Locker upload in CI requires a write credential (e.g., `CI_EVIDENCE_LOCKER_TOKEN`) with access to the `evidence-locker/zastava/` namespace.
|
|
- If the secret is absent, perform a manual upload from the staged folder and record the locker URI in the sprint log.
|
|
|
|
## Signing template (Python, ed25519)
|
|
```bash
|
|
python - <<'PY'
|
|
from pathlib import Path
|
|
from base64 import urlsafe_b64encode
|
|
import json
|
|
from cryptography.hazmat.primitives.asymmetric import ed25519
|
|
from cryptography.hazmat.primitives import serialization
|
|
|
|
priv = serialization.load_pem_private_key(Path('/tmp/zastava-ed25519.key').read_bytes(), password=None)
|
|
pub = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw)
|
|
keyid = urlsafe_b64encode(pub).decode().rstrip('=')
|
|
pt = '<payload-type>'
|
|
payload = Path('<file-to-sign>').read_bytes()
|
|
pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt.encode(), str(len(payload)).encode(), payload])
|
|
sig = priv.sign(pae)
|
|
env = {
|
|
'payloadType': pt,
|
|
'payload': urlsafe_b64encode(payload).decode().rstrip('='),
|
|
'signatures': [{'keyid': keyid, 'sig': urlsafe_b64encode(sig).decode().rstrip('=')}],
|
|
}
|
|
Path('<file-to-sign>.dsse').write_text(json.dumps(env, indent=2, sort_keys=True) + '\n')
|
|
print('signed', '<file-to-sign>', 'with keyid', keyid)
|
|
PY
|
|
```
|
|
|
|
## Post-sign checklist
|
|
1) Run `kit/verify.sh` to validate hashes + DSSE.
|
|
2) Upload artefacts + DSSEs + SHA256SUMS to the Evidence Locker paths above.
|
|
3) Record URIs in sprint 0144 Decisions & Risks and mark ZASTAVA-SCHEMAS-0001 / ZASTAVA-THRESHOLDS-0001 / ZASTAVA-KIT-0001 as DONE.
|