stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
b851aa8300b7febfb2e661443c8e39df13fa4e22
git.stella-ops.org/docs/features/checked/scanner/signed-sbom-archive-format.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

1.7 KiB
Raw Blame History

Signed SBOM Archive Format (SignedSbomArchiveBuilder)

Module

Scanner

Status

VERIFIED

Description

Service for building signed SBOM archive bundles (tar.gz with DSSE envelope, SBOM document, and Rekor receipt) suitable for offline transfer and air-gapped verification.

Implementation Details

  • Archive Builder:
    • src/Scanner/StellaOps.Scanner.WebService/Services/SignedSbomArchiveBuilder.cs - SignedSbomArchiveBuilder building tar.gz archives containing the SBOM document, DSSE envelope with signature, and Rekor transparency log receipt for offline verification
  • Export Endpoint:
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/ExportEndpoints.cs - Export endpoints providing download of signed SBOM archives
  • Tests:
    • src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/SignedSbomArchiveBuilderTests.cs - Unit tests for archive building and content verification

E2E Test Plan

  • Build a signed SBOM archive for a scan result and verify the tar.gz contains the SBOM document, DSSE envelope, and Rekor receipt
  • Extract the archive and verify the DSSE envelope signature validates against the signing key
  • Verify the Rekor receipt in the archive matches the transparency log entry
  • Transfer the archive to an air-gapped environment and verify offline verification succeeds using only the archive contents
  • Verify the archive format is deterministic (same inputs produce byte-identical archives excluding timestamps)

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z