stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 14 Releases Wiki Activity
Files
8768c27f30d4849b4f983ee6121d710c5eba9992
git.stella-ops.org/etc/secrets/README.md
StellaOps Bot 8768c27f30
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / sign-signals-artifacts (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / verify-signatures (push) Has been cancelled
Details
Add signal contracts for reachability, exploitability, trust, and unknown symbols 
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.
2025-12-05 00:27:00 +02:00

47 lines
1.7 KiB
Markdown
Raw Blame History

# Secrets Directory
This directory contains sample/development secrets for local development and testing. **DO NOT** use these secrets in production environments.
## Available Keys
### DSSE Development Signing Key
**File:** `dsse-dev.signing.json`
A development-only HMAC-SHA256 signing key for DSSE (Dead Simple Signing Envelope) signatures. Used to sign offline kit manifests and schema catalogs during development.
**Key Details:**
- **Key ID:** `notify-dev-hmac-001`
- **Algorithm:** HMAC-SHA256
- **Secret:** Base64 of `development-signing-key-for-testing-only`
**Usage:**
```bash
# Sign a DSSE file with the development key
python scripts/notifications/sign-dsse.py <file.dsse.json>
# Or specify the key explicitly
python scripts/notifications/sign-dsse.py <file.dsse.json> --key etc/secrets/dsse-dev.signing.json
```
### CI/Production Signing
For CI and production environments, use:
- **COSIGN_KEY_REF** - Reference to cosign key for image/artifact signing
- **HSM-backed keys** - For production DSSE signing via Security team
CI workflows should never use the development key. The `secrets.COSIGN_KEY_REF` is injected via CI secrets management.
## Security Notes
1. **Never commit production secrets** - This directory is for development samples only
2. **Rotate keys regularly** - Development keys should be rotated when team members leave
3. **Use HSM for production** - Production signing must use HSM-backed keys
4. **Audit key usage** - All signing operations should be logged with keyId and timestamp
## Related Files
- `scripts/notifications/sign-dsse.py` - DSSE signing utility
- `src/ExportCenter/.../HmacDevPortalOfflineManifestSigner.cs` - Reference .NET implementation
- `docs/notifications/gaps-nr1-nr10.md` - NR9 offline kit with DSSE requirements
Reference in New Issue View Git Blame Copy Permalink