git.stella-ops.org/scripts/mirror/README.md

Mirror signing helpers

• make-thin-v1.sh: builds thin bundle v1, computes checksums, emits bundle meta (offline/rekor/mirror gaps), optional DSSE+TUF signing when SIGN_KEY is set, and runs verifier.
• sign_thin_bundle.py: signs manifest (DSSE), bundle meta (DSSE), and root/targets/snapshot/timestamp JSON using an Ed25519 PEM key.
• verify_thin_bundle.py: checks SHA256 sidecars, manifest schema, tar determinism, required layers, optional bundle meta and DSSE signatures; accepts --bundle-meta, --pubkey, --tenant, --environment.
• ci-sign.sh: CI wrapper. Set MIRROR_SIGN_KEY_B64 (base64-encoded Ed25519 PEM) and run; it builds, signs, and verifies in one step, emitting milestone.json with manifest/tar/bundle hashes.
• verify_oci_layout.py: validates OCI layout/index/manifest and blob digests when OCI=1 is used.
• mirror-create.sh: convenience wrapper to build + verify thin bundles (optional SIGN_KEY, time anchor, OCI flag).
• mirror-verify.sh: wrapper around verify_thin_bundle.py for quick hash/DSSE checks.
• schedule-export-center-run.sh: schedules an Export Center run for mirror bundles via HTTP POST; set EXPORT_CENTER_BASE_URL, EXPORT_CENTER_TENANT, EXPORT_CENTER_TOKEN (Bearer), optional EXPORT_CENTER_PROJECT; logs to AUDIT_LOG_PATH (default logs/export-center-schedule.log). Set EXPORT_CENTER_ARTIFACTS_JSON to inject bundle metadata into the request payload.
• export-center-wire.sh: builds export-center-handoff.json from out/mirror/thin/milestone.json, emits recommended Export Center targets, and (when EXPORT_CENTER_AUTO_SCHEDULE=1) calls schedule-export-center-run.sh to push the run. Outputs live under out/mirror/thin/export-center/.
  • CI: .gitea/workflows/mirror-sign.yml runs this script after signing; scheduling remains opt-in via secrets EXPORT_CENTER_BASE_URL, EXPORT_CENTER_TOKEN, EXPORT_CENTER_TENANT, EXPORT_CENTER_PROJECT, EXPORT_CENTER_AUTO_SCHEDULE.

Artifacts live under out/mirror/thin/.