stella-forensic-verify (preview)
Minimal .NET 10 global tool for offline verification of provenance payloads signed with an HMAC key. No network access; deterministic JSON output.
Usage
stella-forensic-verify \
--payload payload.bin # or '-' to read stdin
--signature-hex DEADBEEF... # hex-encoded HMAC
--key-hex 001122... # hex-encoded HMAC key
[--key-id hmac] # optional key id
[--content-type application/octet-stream]
[--signed-at 2025-11-21T12:00:00Z]
[--not-after 2025-12-31T23:59:59Z]
[--max-skew-minutes 5]
Output (single line, deterministic field order):
{"valid":true,"reason":"verified","verifiedAt":"2025-11-22T12:00:00.0000000Z","keyId":"hmac","contentType":"application/octet-stream"}
Exit codes
- 0: signature valid
- 2: signature/time invalid
- 1: bad arguments or hex parse failure
Offline kit packaging (manual)
dotnet pack src/Provenance/StellaOps.Provenance.Attestation.Tool/StellaOps.Provenance.Attestation.Tool.csproj -c Release -o out/tools- Copy the produced nupkg into the offline kit under
tools/. - Install in air-gap host:
dotnet tool install --global --add-source tools stella-forensic-verify --version <pkg-version>. - Document expected SHA256 of the nupkg alongside the kit manifest.