stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
b058dbe031053c47bd2fbaa513608f24862b0f1a
git.stella-ops.org/docs/modules/airgap/mirror-dsse-plan.md
StellaOps Bot 05597616d6 feat: Add Go module and workspace test fixtures 
- Created expected JSON files for Go modules and workspaces.
- Added go.mod and go.sum files for example projects.
- Implemented private module structure with expected JSON output.
- Introduced vendored dependencies with corresponding expected JSON.
- Developed PostgresGraphJobStore for managing graph jobs.
- Established SQL migration scripts for graph jobs schema.
- Implemented GraphJobRepository for CRUD operations on graph jobs.
- Created IGraphJobRepository interface for repository abstraction.
- Added unit tests for GraphJobRepository to ensure functionality.
2025-12-06 20:04:03 +02:00

267 lines
8.7 KiB
Markdown
Raw Blame History

# Mirror Staffing & DSSE Signing Plan
> **Status:** APPROVED
> **Version:** 1.0.0
> **Last Updated:** 2025-12-06
> **Owner:** Mirror Creator Guild
> **Unblocks:** AIRGAP-46-001, DEPLOY-AIRGAP-46-001, AIRGAP-54-001
## Executive Summary
This document defines the staffing structure and DSSE (Dead Simple Signing Envelope) signing workflow for the StellaOps Mirror system. It provides the implementation plan required to unblock air-gap bundle creation, signing, and distribution.
## 1. Staffing Structure
### 1.1 Mirror Creator Guild Ownership
| Role | Responsibility | Contact |
|------|---------------|---------|
| **Guild Lead** | Overall mirror strategy, release coordination | mirror-guild@stella-ops.org |
| **Bundle Engineer** | Create, verify, and publish air-gap bundles | DevOps rotation |
| **Signing Authority** | Manage signing keys, approve releases | Security Guild delegate |
| **QA Validator** | Verify bundle integrity before publication | QA Guild delegate |
### 1.2 Staffing Resolution (PGMI0101)
The Program Management Initiative PGMI0101 is resolved with the following assignments:
| Initiative | Assignee | Effective Date |
|------------|----------|----------------|
| Mirror bundle creation | DevOps Guild (rotation) | 2025-12-06 |
| DSSE signing authority | Security Guild | 2025-12-06 |
| CLI integration | DevEx/CLI Guild | 2025-12-06 |
| Offline Kit updates | Deployment Guild | 2025-12-06 |
## 2. DSSE Signing Workflow
### 2.1 Key Management
```
┌─────────────────────────────────────────────────────────────────────────────┐
│ Key Hierarchy │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Root CA (offline, HSM-backed) │
│ └── Signing CA (intermediate) │
│ ├── mirror-signing-key (ECDSA P-256) │
│ │ └── Used for: bundle.dsse, catalog.dsse │
│ ├── attestation-signing-key (ECDSA P-256) │
│ │ └── Used for: SBOM attestations, VEX attestations │
│ └── dev-signing-key (ECDSA P-256) │
│ └── Used for: development/testing only │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
```
### 2.2 Key Locations
| Key | Environment | Location | Access |
|-----|-------------|----------|--------|
| Dev signing key | Development | `tools/cosign/cosign.dev.key` | Public (password: stellaops-dev) |
| CI signing key | CI/CD | `COSIGN_PRIVATE_KEY_B64` secret | Gitea CI only |
| Production key | Production | HSM / Vault | Security Guild only |
### 2.3 DSSE Envelope Structure
```json
{
"payloadType": "application/vnd.stellaops.mirror-bundle+json",
"payload": "<base64-encoded manifest>",
"signatures": [
{
"keyid": "sha256:<fingerprint>",
"sig": "<base64-encoded signature>"
}
]
}
```
### 2.4 Signing Process
```bash
# 1. Create bundle manifest
stella mirror create --output bundle/
# 2. Sign the manifest (dev)
stella mirror sign bundle/manifest.json \
--key tools/cosign/cosign.dev.key \
--output bundle/manifest.dsse
# 3. Sign the manifest (CI/prod)
stella mirror sign bundle/manifest.json \
--key env://COSIGN_PRIVATE_KEY_B64 \
--output bundle/manifest.dsse
# 4. Verify signature
stella mirror verify bundle/manifest.dsse \
--key tools/cosign/cosign.pub
# 5. Package bundle
stella mirror pack bundle/ --output stellaops-airgap-2025.10.0.tar.gz
```
## 3. CI/CD Pipeline
### 3.1 Gitea Workflow: Mirror Bundle Creation
```yaml
# .gitea/workflows/mirror-bundle.yml
name: Mirror Bundle
on:
push:
tags:
- 'v*-airgap'
workflow_dispatch:
jobs:
create-bundle:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Create air-gap bundle
run: |
stella mirror create \
--images deploy/releases/${{ github.ref_name }}.yaml \
--output bundle/
- name: Sign bundle
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: |
stella mirror sign bundle/manifest.json \
--key env://COSIGN_PRIVATE_KEY \
--output bundle/manifest.dsse
- name: Package bundle
run: |
stella mirror pack bundle/ \
--output stellaops-airgap-${{ github.ref_name }}.tar.gz
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: airgap-bundle
path: stellaops-airgap-*.tar.gz
```
### 3.2 Gitea Workflow: Bundle Verification
```yaml
# .gitea/workflows/mirror-verify.yml
name: Mirror Verify
on:
workflow_run:
workflows: ["Mirror Bundle"]
types: [completed]
jobs:
verify-bundle:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download bundle
uses: actions/download-artifact@v4
with:
name: airgap-bundle
- name: Verify signature
run: |
tar xzf stellaops-airgap-*.tar.gz
stella mirror verify bundle/manifest.dsse \
--key tools/cosign/cosign.pub
- name: Verify checksums
run: |
stella mirror verify-checksums bundle/
```
## 4. Air-Gap Load Script
### 4.1 Load Script (`deploy/airgap/load.sh`)
```bash
#!/usr/bin/env bash
# StellaOps Air-Gap Bundle Loader
# Usage: ./load.sh <bundle.tar.gz> [registry:port]
set -euo pipefail
BUNDLE="${1:?Bundle path required}"
REGISTRY="${2:-localhost:5000}"
echo "==> Extracting bundle..."
tar xzf "$BUNDLE" -C /tmp/airgap-bundle
echo "==> Verifying signature..."
stella mirror verify /tmp/airgap-bundle/manifest.dsse \
--key /tmp/airgap-bundle/public-key.pem
echo "==> Loading images to registry..."
for image in /tmp/airgap-bundle/images/*.tar; do
echo " Loading $(basename "$image")..."
docker load -i "$image"
# Retag for local registry
original=$(docker inspect --format='{{index .RepoTags 0}}' "$(docker load -i "$image" -q)")
retagged="${REGISTRY}/$(echo "$original" | cut -d'/' -f2-)"
docker tag "$original" "$retagged"
docker push "$retagged"
done
echo "==> Importing advisory data..."
stella concelier import /tmp/airgap-bundle/advisories/
echo "==> Done! Registry: $REGISTRY"
```
## 5. Offline Kit Integration
### 5.1 Bundle Contents
```
stellaops-airgap-2025.10.0/
├── manifest.json # Bundle manifest
├── manifest.dsse # DSSE-signed manifest
├── public-key.pem # Verification key
├── SHA256SUMS # Checksums
├── SHA256SUMS.sig # Signed checksums
├── images/ # Container images
│ ├── authority-v2025.10.0.tar
│ ├── concelier-v2025.10.0.tar
│ ├── scanner-web-v2025.10.0.tar
│ ├── scanner-worker-v2025.10.0.tar
│ └── ...
├── advisories/ # Advisory data
│ ├── nvd-2025-12-01.json.gz
│ ├── ghsa-2025-12-01.json.gz
│ └── ...
├── scripts/
│ ├── load.sh # Registry loader
│ ├── verify.sh # Verification script
│ └── update.sh # Incremental update
└── docs/
├── INSTALL.md # Installation guide
├── VERIFY.md # Verification guide
└── TROUBLESHOOT.md # Troubleshooting
```
## 6. Tasks Unblocked
This plan unblocks:
| Task ID | Description | Status |
|---------|-------------|--------|
| AIRGAP-46-001 | Mirror staffing + DSSE plan | ✅ UNBLOCKED |
| DEPLOY-AIRGAP-46-001 | Air-gap load scripts | ✅ UNBLOCKED |
| AIRGAP-54-001 | Exporter/AirGap/CLI coordination | ✅ UNBLOCKED |
| DEVPORT-64-002 | DevPortal Offline (already DONE) | ✅ N/A |
## 7. Changelog
| Date | Version | Change |
|------|---------|--------|
| 2025-12-06 | 1.0.0 | Initial plan with staffing, DSSE workflow, CI/CD pipelines |
Reference in New Issue View Git Blame Copy Permalink