stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
8e1cb9448d752df07141efe450cf4b9b67fe55d1
git.stella-ops.org/docs/modules/evidence-locker/portable-audit-pack-rekor-offline.md
master cf5b72974f save checkpoint
2026-02-11 01:32:14 +02:00

1.4 KiB
Raw Blame History

Portable Audit Pack Rekor Offline Verification Profile

Status: Draft frozen for implementation handoff (2026-02-10).

Required Rekor material in pack

At least one of:

  • rekor/tile.tar
  • rekor/tiles.bundle

And manifest references:

  • rekor.log_id
  • rekor.api_version (2)
  • rekor.tile_refs[]
  • rekor.root_hash

Offline verification flow

  1. Validate manifest signature and manifest file inventory/digests.
  2. Load bundled tile material referenced by rekor.tile_refs[].
  3. Reconstruct inclusion proof path for covered digests.
  4. Validate Merkle root equals rekor.root_hash.
  5. Validate checkpoint key material from verifiers.rekor_pub when present.
  6. Fail closed on any missing tile/proof/checkpoint dependency.

Stable failure codes

  • ERR_REKOR_TILE_MISSING
  • ERR_REKOR_TILE_DIGEST_MISMATCH
  • ERR_REKOR_PROOF_INVALID
  • ERR_REKOR_CHECKPOINT_INVALID
  • ERR_REKOR_ROOT_MISMATCH
  • ERR_REKOR_REFERENCE_UNCOVERED

Tamper test requirements

  • Corrupt one tile byte -> ERR_REKOR_TILE_DIGEST_MISMATCH.
  • Modify inclusion path node -> ERR_REKOR_PROOF_INVALID.
  • Alter checkpoint signature -> ERR_REKOR_CHECKPOINT_INVALID.
  • Alter rekor.root_hash in manifest -> ERR_REKOR_ROOT_MISMATCH.

Compatibility notes

  • Existing Rekor receipt contracts remain valid for legacy bundle profiles.
  • Portable profile requires deterministic file references under rekor/ in the manifest.