49922dff5a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Risk Bundle CI / publish-checksums (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
26 lines
2.3 KiB
Markdown
26 lines
2.3 KiB
Markdown
# Mirror DSSE Revision — MIRROR-DSSE-REV-1501
|
|
|
|
Date: 2025-11-24
|
|
Owners: Mirror Creator Guild · Security Guild · Evidence Locker Guild
|
|
Scope: Finalize DSSE layout and signing inputs for mirror bundles and time-anchor receipts used by Excititor/ExportCenter/CLI.
|
|
|
|
## Decisions
|
|
- **Envelope & payload**: Use DSSE with payload type `application/vnd.stellaops.mirror+json;version=1`. Payload contains deterministic manifest of mirror files (`mirror.json`) plus `SHA256SUMS` and `SHA256SUMS.dsse` references.
|
|
- **Canonical ordering**: Manifest entries sorted lexicographically by `path`; hashes are lower-case hex; timestamps in ISO-8601 UTC; no optional fields when empty.
|
|
- **Signing keys**: Ed25519 signing using key ref `mirror-root-ed25519-01`; key distribution via offline bundle `keys/mirror-root.pub`. Rekor transparency optional; when present, include `rekorUUID` and `rekorUrl` fields.
|
|
- **Headers**: DSSE header carries `issuer`, `keyid`, `created` (UTC), and `purpose=mirror-bundle`. Detached header file stored at `mirror/metadata/mirror.dsse.json` to allow verification without payload extraction.
|
|
- **Verification rules**: Accept signatures that validate against configured keyring and match manifest hash; reject if payload hash mismatch or header `purpose` not `mirror-bundle`.
|
|
|
|
## Artefacts
|
|
- Sample manifest + DSSE: `out/mirror/thin/mirror-thin-m0-sample.tar.gz` (existing) with new DSSE header example at `docs/samples/mirror/m0-sample/mirror.dsse.json` (hash: TBD by pipeline).
|
|
- Key reference: `docs/samples/mirror/mirror-root-ed25519-01.pub` (fingerprint documented in manifest header).
|
|
|
|
## Actions
|
|
- Mirror Creator Guild to regenerate milestone bundle with DSSE header once export center schema aligns; publish hashes to `SHA256SUMS.dsse`.
|
|
- Evidence Locker Guild to accept DSSE headers as proof input for portable bundles; update attestation contract to reference `purpose=mirror-bundle`.
|
|
- Security Guild to register `mirror-root-ed25519-01` in key registry and rotate quarterly; add Rekor inclusion proof when online.
|
|
|
|
## Risks/Notes
|
|
- Rekor optional path remains; offline installs skip transparency but must store DSSE header. If Rekor UUID missing, CLI should warn but continue with local verification.
|
|
- Pending alignment with Export Center manifest v1.1; track deltas in future update if schema changes.
|