stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/checked/airgap/deterministic-rekor-receipts-with-offline-verification.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

2.6 KiB
Raw Blame History

Deterministic Rekor Receipts with Offline Verification

Module

AirGap

Status

VERIFIED

Description

Offline Rekor receipt verifier validates checkpoint signatures (ECDSA/Ed25519), Merkle inclusion proofs per RFC 6962, and root hash consistency without live transparency log access. Includes TileProxy for local tile-based transparency log proxy, and mirror snapshot resolution for air-gapped deployments.

Implementation Details

  • Rekor proof builder: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.Build.cs, EnhancedRekorProofBuilder.Validate.cs, EnhancedRekorProofBuilder.cs
  • Rekor inclusion proof: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/RekorInclusionProof.cs
  • Rekor verification step: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/RekorInclusionVerificationStep.cs
  • Replay verification: src/AirGap/StellaOps.AirGap.Controller/Services/ReplayVerificationService.cs
  • Importer replay: src/AirGap/StellaOps.AirGap.Importer/Contracts/ReplayVerificationRequest.cs, ReplayDepth.cs
  • Merkle proofs: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Merkle/DeterministicMerkleTreeBuilder.Proof.cs, MerkleProof.cs
  • Source: Feature matrix scan

E2E Test Plan

  • Verify Rekor receipt offline verification validates checkpoint signatures (ECDSA/Ed25519)
  • Test Merkle inclusion proof verification per RFC 6962
  • Test root hash consistency verification without live transparency log
  • Verify replay verification service works in air-gapped mode

Verification

  • Verified on 2026-02-11 with run-002.
  • Tier 0 source/declaration checks passed for Rekor proof builder surfaces, inclusion proof/verification classes, replay verification contracts, and deterministic Merkle proof primitives.
  • Tier 1 build/tests passed across proof-chain, controller, importer, and Attestor/AirGap test suites (76/76 offline verifier, 80/80 attestor types, 27/27 controller, 154/154 importer).
  • Tier 2 behavioral checks passed for offline receipt verification, offline verifier Rekor-proof path handling, and replay verification behavior in both controller and importer paths.
  • Evidence:
    • docs/qa/feature-checks/runs/airgap/deterministic-rekor-receipts-with-offline-verification/run-002/tier0-source-check.json
    • docs/qa/feature-checks/runs/airgap/deterministic-rekor-receipts-with-offline-verification/run-002/tier1-build-check.json
    • docs/qa/feature-checks/runs/airgap/deterministic-rekor-receipts-with-offline-verification/run-002/tier2-integration-check.json