stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
ac22ee3ce20dd18ddb231ba4e06d75c5003914ef
git.stella-ops.org/docs/features/checked/attestor/offline-verification-system.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.4 KiB
Raw Blame History

Offline Verification System (Rekor Mirror, Local Log, Sigstore Bundle)

Module

Attestor

Status

VERIFIED

Description

Offline Rekor receipt verification using local Merkle proof verification without network dependency. TileProxy provides local tile-based transparency log proxy with content-addressed storage. Sigstore bundle offline verifier with integration tests for air-gapped scenarios.

Implementation Details

  • Offline Verifier: src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs -- verifies attestations offline using locally cached roots, Merkle proofs, and trust anchors. Implements Abstractions/IOfflineVerifier.cs.
  • Offline Root Store: Services/FileSystemRootStore.cs -- stores trusted roots and checkpoint data on the local filesystem. Implements Abstractions/IOfflineRootStore.cs.
  • Rule Bundle Signature Verifier: Services/RuleBundleSignatureVerifier.cs -- verifies signed policy rule bundles offline. Implements Abstractions/IRuleBundleSignatureVerifier.cs.
  • Offline Verification Result: Models/OfflineVerificationResult.cs -- result model with pass/fail status and detailed check results.
  • TileProxy Service: src/Attestor/StellaOps.Attestor.TileProxy/Services/TileProxyService.cs -- proxies and caches transparency log tiles for offline verification.
  • Content-Addressed Tile Store: StellaOps.Attestor.TileProxy/Services/ContentAddressedTileStore.cs -- stores tiles by content hash for deduplication.
  • Tile Sync Job: StellaOps.Attestor.TileProxy/Jobs/TileSyncJob.cs -- background job that syncs tiles from remote Rekor while online.
  • Tile Endpoints: StellaOps.Attestor.TileProxy/Endpoints/TileEndpoints.cs -- HTTP endpoints for serving cached tiles.
  • Rekor Offline Receipt Verifier: StellaOps.Attestor.Core/Verification/RekorOfflineReceiptVerifier.cs -- verifies Rekor receipts using locally cached data.
  • Merkle Proof Verifier: StellaOps.Attestor.Core/Verification/MerkleProofVerifier.cs -- verifies Merkle inclusion proofs locally.
  • Sigstore Bundle Verifier: __Libraries/StellaOps.Attestor.Bundle/SigstoreBundleVerifier.cs -- verifies Sigstore bundles offline.
  • Tests: __Tests/StellaOps.Attestor.Offline.Tests/, __Tests/StellaOps.Attestor.TileProxy.Tests/

E2E Test Plan

  • Verify an attestation offline via OfflineVerifier using cached roots from FileSystemRootStore and confirm verification passes
  • Simulate air-gap: disable network, verify an attestation using locally cached tiles via TileProxyService, and confirm success
  • Sync tiles via TileSyncJob while online, then verify those tiles are accessible offline via TileEndpoints
  • Verify a Rekor receipt offline via RekorOfflineReceiptVerifier using cached checkpoint and Merkle proof
  • Verify a Sigstore bundle offline via SigstoreBundleVerifier and confirm certificate chain and signature are valid
  • Verify RuleBundleSignatureVerifier rejects a tampered policy rule bundle offline
  • Verify ContentAddressedTileStore deduplicates tiles: store the same tile twice and verify only one copy exists
  • Test OfflineVerificationResult captures detailed check results for each verification step (root validity, Merkle proof, signature)

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001