stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
8abbf9574d81c62b8cf7688bba367a777d8b3aa0
git.stella-ops.org/scripts/mirror
History
StellaOps Bot 6bee1fdcf5
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
work
2025-11-25 08:01:23 +02:00
..
check_signing_prereqs.sh
blocked 4
2025-11-23 17:53:41 +02:00
ci-sign.sh
work
2025-11-25 08:01:23 +02:00
README.md
blockers 2
2025-11-23 14:54:17 +02:00
sign_thin_bundle.py
blockers 2
2025-11-23 14:54:17 +02:00
verify_oci_layout.py
blockers 2
2025-11-23 14:54:17 +02:00
verify_thin_bundle.py
blockers 2
2025-11-23 14:54:17 +02:00

README.md

Mirror signing helpers

  • make-thin-v1.sh: builds thin bundle v1, computes checksums, optional DSSE+TUF signing when SIGN_KEY is set, and runs verifier.
  • sign_thin_bundle.py: signs manifest (DSSE) and root/targets/snapshot/timestamp JSON using an Ed25519 PEM key.
  • verify_thin_bundle.py: checks SHA256 sidecars, manifest schema, tar determinism, and manifest/index digests.
  • ci-sign.sh: CI wrapper. Set MIRROR_SIGN_KEY_B64 (base64-encoded Ed25519 PEM) and run; it builds, signs, and verifies in one step.
  • verify_oci_layout.py: validates OCI layout/index/manifest and blob digests when OCI=1 is used.

Artifacts live under out/mirror/thin/.