2.0 KiB
2.0 KiB
DSSE/TUF profile for Mirror thin bundles (v1 draft)
Applies to mirror-thin-v1.* artefacts in out/mirror/thin/.
Keys
- Signing algorithm: ed25519
- Key IDs:
mirror-ed25519-test-1 - Storage: keep private key only in sealed CI secret; public key published alongside metadata at
out/mirror/thin/tuf/keys/mirror-ed25519-test-1.pub.
DSSE envelope
- Payload type:
application/vnd.stellaops.mirror.manifest+json - Payload:
mirror-thin-v1.manifest.json - Signature: ed25519 over base64url(payload)
- Envelope path:
out/mirror/thin/mirror-thin-v1.manifest.dsse.json
TUF metadata layout
out/mirror/thin/tuf/
root.json
snapshot.json
targets.json
timestamp.json
keys/mirror-ed25519-test-1.pub
Targets mapping
mirror-thin-v1.tar.gz→ targets entry with sha256210dc49e8d3e25509298770a94da277aa2c9d4c387d3c24505a61fe1d7695a49mirror-thin-v1.manifest.json→ sha2560ae51fa87648dae0a54fab950181a3600a8363182d89ad46d70f3a56b997b504
Determinism rules
- Sort keys in JSON; indent=2; trailing newline.
expiresset to2026-01-01T00:00:00Zfor draft; update during release.- Versions: root=1, targets=1, snapshot=1, timestamp=1 for this draft.
- Signatures should be stable; for test draft, placeholders are used until CI signing is wired.
Status & TODO to productionize
- Draft signatures now generated with repo test key (
mirror-ed25519-test-1) viascripts/mirror/sign_thin_bundle.py; replace with CI-held key before release. - CI hook: set
MIRROR_SIGN_KEY_B64(base64-encoded Ed25519 PEM) and runscripts/mirror/ci-sign.shto build+sign+verify in one step. - Rotate keys via TUF root role once CI secrets land.
- Add DSSE signer to assembler pipeline so
make-thin-v1.shemits envelope + TUF metadata automatically in CI.
CI integration sketch (disabled until key is provided)
- name: Mirror thin bundle (signed)
run: |
export MIRROR_SIGN_KEY_B64="${{ secrets.MIRROR_SIGN_KEY_B64 }}"
export OCI=1
scripts/mirror/ci-sign.sh
if: ${{ secrets.MIRROR_SIGN_KEY_B64 != '' }}