stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
a3b2f30a11672d42fc1f9d45125aa78035055016
git.stella-ops.org/docs/modules/airgap/guides/portable-evidence.md
master 4789027317 docs consolidation and others
2026-01-06 19:07:48 +02:00

1.1 KiB
Raw Blame History

Portable Evidence Bundles (DOCS-AIRGAP-58-004)

Guidance for exporting/importing portable evidence bundles across enclaves.

Bundle contents

  • Evidence payloads (VEX observations/linksets) as NDJSON.
  • Timeline events and attestation DSSE envelopes.
  • Manifest with bundleId, source, tenant, createdAt, files[], dsseEnvelopeHash (optional).

Export

  • Produce from Evidence Locker/Excititor with deterministic ordering and SHA-256 hashes.
  • Include Merkle root over evidence files; store in manifest.
  • Sign manifest (DSSE) when trust roots available.

Import

  • Verify manifest hash, Merkle root, and DSSE signature offline.
  • Enforce tenant scoping; refuse cross-tenant bundles.
  • Emit timeline event upon successful import.

Constraints

  • No external lookups; verification uses bundled roots.
  • Max size per bundle configurable; default 500MB.
  • Keep file paths UTF-8 and slash-separated; avoid host-specific metadata.

Determinism

  • Sort files lexicographically; use ISO-8601 UTC timestamps.
  • Avoid re-compressing files; if tar is used, set deterministic headers (uid/gid=0, mtime=0).