Secrets Directory
This directory contains sample/development secrets for local development and testing. DO NOT use these secrets in production environments.
Available Keys
DSSE Development Signing Key
File: dsse-dev.signing.json
A development-only HMAC-SHA256 signing key for DSSE (Dead Simple Signing Envelope) signatures. Used to sign offline kit manifests and schema catalogs during development.
Key Details:
- Key ID:
notify-dev-hmac-001 - Algorithm: HMAC-SHA256
- Secret: Base64 of
development-signing-key-for-testing-only
Usage:
# Sign a DSSE file with the development key
python scripts/notifications/sign-dsse.py <file.dsse.json>
# Or specify the key explicitly
python scripts/notifications/sign-dsse.py <file.dsse.json> --key etc/secrets/dsse-dev.signing.json
CI/Production Signing
For CI and production environments, use:
- COSIGN_KEY_REF - Reference to cosign key for image/artifact signing
- HSM-backed keys - For production DSSE signing via Security team
CI workflows should never use the development key. The secrets.COSIGN_KEY_REF is injected via CI secrets management.
Security Notes
- Never commit production secrets - This directory is for development samples only
- Rotate keys regularly - Development keys should be rotated when team members leave
- Use HSM for production - Production signing must use HSM-backed keys
- Audit key usage - All signing operations should be logged with keyId and timestamp
Related Files
scripts/notifications/sign-dsse.py- DSSE signing utilitysrc/ExportCenter/.../HmacDevPortalOfflineManifestSigner.cs- Reference .NET implementationdocs/notifications/gaps-nr1-nr10.md- NR9 offline kit with DSSE requirements