stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
9f6e6f7fb314b06d08ae115c0e0a7e9776f74185
git.stella-ops.org/docs/modules/attestor/airgap.md
StellaOps Bot 9f6e6f7fb3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
up
2025-11-25 22:09:44 +02:00

2.2 KiB
Raw Blame History

Attestor Air-Gap Guide (DOCS-ATTEST-75-001)

Last updated: 2025-11-25

Goal

Run attestation verification entirely offline while keeping determinism and tenant safety intact.

Inputs & prerequisites

  • Trust bundle: DSSE signing keys + certificate chains packaged under out/offline/attestor/trust-bundle/ (hash manifest included).
  • Transparency checkpoints (optional): Rekor or equivalent checkpoints mirrored to out/offline/attestor/transparency/.
  • Authority scopes: attest:verify and tenant scoping (X-Stella-Tenant) are still required even in sealed mode.
  • No external calls: Outbound network must be disabled; attestor uses only the provided bundles.

Configuration (sealed mode)

Set the following environment flags on WebService/Worker:

  • Attestor__Offline__Enabled=true
  • Attestor__TrustBundlePath=/app/offline/trust-bundle
  • Attestor__Transparency__CheckpointPath=/app/offline/transparency (optional)
  • Attestor__Verification__DisableHttpFetch=true

Mount the bundle directories read-only; keep hashes alongside the payloads for audit.

Verification flow (offline)

  1. Client submits a DSSE envelope to /api/v1/attestations/verify with tenant header.
  2. Service loads keys from the offline trust bundle; issuer lookup is strictly local.
  3. If transparency data is present, the server verifies inclusion against the mirrored checkpoint; otherwise it records transparency=skipped in the rationale.
  4. Result is returned with deterministic fields: subject, statementDigest, verified=true|false, transparency=passed|skipped|failed, rationale[].

Determinism safeguards

  • All hashes are lowercase hex; timestamps are UTC ISO-8601.
  • Sorting: multiple statements are ordered by subject then statementDigest.
  • No network retries or clock drift compensation; rely on bundle timestamps.

Operations checklist

  • Refresh trust bundle hashes before each deploy; compare against signed manifest.
  • Rotate keys by replacing the bundle atomically; restart workers to pick up changes.
  • Record verification results in the delivery ledger for replay/audit.

Related docs

  • docs/modules/attestor/overview.md
  • docs/modules/attestor/keys-and-issuers.md
  • docs/modules/attestor/transparency.md