stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
8768c27f30d4849b4f983ee6121d710c5eba9992
git.stella-ops.org/etc/secrets/README.md
StellaOps Bot 8768c27f30
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / sign-signals-artifacts (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / verify-signatures (push) Has been cancelled
Details
Add signal contracts for reachability, exploitability, trust, and unknown symbols 
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.
2025-12-05 00:27:00 +02:00

1.7 KiB
Raw Blame History

Secrets Directory

This directory contains sample/development secrets for local development and testing. DO NOT use these secrets in production environments.

Available Keys

DSSE Development Signing Key

File: dsse-dev.signing.json

A development-only HMAC-SHA256 signing key for DSSE (Dead Simple Signing Envelope) signatures. Used to sign offline kit manifests and schema catalogs during development.

Key Details:

  • Key ID: notify-dev-hmac-001
  • Algorithm: HMAC-SHA256
  • Secret: Base64 of development-signing-key-for-testing-only

Usage:

# Sign a DSSE file with the development key
python scripts/notifications/sign-dsse.py <file.dsse.json>

# Or specify the key explicitly
python scripts/notifications/sign-dsse.py <file.dsse.json> --key etc/secrets/dsse-dev.signing.json

CI/Production Signing

For CI and production environments, use:

  • COSIGN_KEY_REF - Reference to cosign key for image/artifact signing
  • HSM-backed keys - For production DSSE signing via Security team

CI workflows should never use the development key. The secrets.COSIGN_KEY_REF is injected via CI secrets management.

Security Notes

  1. Never commit production secrets - This directory is for development samples only
  2. Rotate keys regularly - Development keys should be rotated when team members leave
  3. Use HSM for production - Production signing must use HSM-backed keys
  4. Audit key usage - All signing operations should be logged with keyId and timestamp

Related Files

  • scripts/notifications/sign-dsse.py - DSSE signing utility
  • src/ExportCenter/.../HmacDevPortalOfflineManifestSigner.cs - Reference .NET implementation
  • docs/notifications/gaps-nr1-nr10.md - NR9 offline kit with DSSE requirements