stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
bc0762e97d251723854b9c4e482b218c8efb1e04
git.stella-ops.org/docs/modules/signals/evidence/README.md
StellaOps Bot bc0762e97d up
2025-12-09 00:20:52 +02:00

4.6 KiB
Raw Blame History

Signals DSSE Evidence Staging (runtime/signals gaps)

Artifacts prepared 2025-12-05 (UTC) for DSSE signing and Evidence Locker ingest:

Artifact Path Predicate
Decay config docs/modules/signals/decay/confidence_decay_config.yaml stella.ops/confidenceDecayConfig@v1
Unknowns manifest docs/modules/signals/unknowns/unknowns_scoring_manifest.json stella.ops/unknownsScoringManifest@v1
Heuristics catalog docs/modules/signals/heuristics/heuristics.catalog.json stella.ops/heuristicCatalog@v1
Checksums docs/modules/signals/SHA256SUMS

CI Automated Signing

  • .gitea/workflows/signals-dsse-sign.yml ƒ?" DSSE signing of decay/unknowns/heuristics on push or manual dispatch.
  • .gitea/workflows/signals-reachability.yml ƒ?" reachability smoke (SIGNALS-24-004/005), DSSE signing, and optional Evidence Locker upload.
  • .gitea/workflows/signals-evidence-locker.yml ƒ?" production re-sign + deterministic tar upload; defaults to evidence-locker/signals/2025-12-05.

Prerequisites (CI Secrets or Repo Vars)

Secret/Var Description
COSIGN_PRIVATE_KEY_B64 Base64-encoded cosign private key (required for production)
COSIGN_PASSWORD Password for encrypted key (if applicable)
CI_EVIDENCE_LOCKER_TOKEN Token for Evidence Locker push
EVIDENCE_LOCKER_URL Base URL for locker PUT (e.g., https://locker.example.com)

Trigger

  • Automatic: Push to main affecting docs/modules/signals/**, tools/cosign/sign-signals.sh, or Signals sources (reachability workflow).
  • Manual: Workflow dispatch with allow_dev_key=1 for testing; out_dir input defaults to evidence-locker/signals/2025-12-05.

Output

Signed artifacts uploaded as workflow artifacts and, when secrets/vars are present, pushed to Evidence Locker. Evidence tar SHA256 is emitted in job logs.

Development Signing (Local Testing)

A development key pair is available for smoke tests. Recent dev bundles live under docs/modules/signals/dev-smoke/2025-12-04/ and docs/modules/signals/dev-smoke/2025-12-05/.

# Sign with dev key
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
  OUT_DIR=docs/modules/signals/dev-smoke/2025-12-05 \
  tools/cosign/sign-signals.sh

# Verify signature
cosign verify-blob \
  --key tools/cosign/cosign.dev.pub \
  --bundle docs/modules/signals/dev-smoke/2025-12-05/confidence_decay_config.sigstore.json \
  docs/modules/signals/decay/confidence_decay_config.yaml

Note: Dev key signatures are NOT suitable for Evidence Locker or production use; tlog upload is disabled.

Production Signing (Manual)

For production signing without CI:

# Option 1: Place key file
cp /path/to/production.key tools/cosign/cosign.key
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh

# Option 2: Use base64 env var
export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0)
export COSIGN_PASSWORD=your-password
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh

Evidence Locker Paths

Post-signing, artifacts go to:

  • evidence-locker/signals/2025-12-05/confidence_decay_config.sigstore.json
  • evidence-locker/signals/2025-12-05/unknowns_scoring_manifest.sigstore.json
  • evidence-locker/signals/2025-12-05/heuristics_catalog.sigstore.json
  • evidence-locker/signals/2025-12-05/SHA256SUMS

Deterministic tarball (dev-key signing 2025-12-05) for locker push/testing:

evidence-locker/signals/2025-12-05/signals-evidence.tar  sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d

Verification helper:

./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]

Local locker upload (once creds are available):

export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/signals-upload-evidence.sh
# or to push both Signals and Zastava in one go
./tools/upload-all-evidence.sh

CI upload path:

  • Workflow: .gitea/workflows/signals-evidence-locker.yml
  • Secrets required: CI_EVIDENCE_LOCKER_TOKEN, EVIDENCE_LOCKER_URL
  • Artifact name: signals-evidence-2025-12-05
  • Retention input (optional): retention_target (default 180 days)

Post-Signing Checklist

  1. Verify signatures against public key
  2. Update sprint tracker (SPRINT_0140) Delivery Tracker rows 57
  3. Add signer ID to Execution Log
  4. Copy to offline kit bundle for air-gap parity

Notes

  • All timestamps use UTC ISO-8601 format
  • Signatures disable tlog upload (--tlog-upload=false) for offline compatibility
  • See tools/cosign/README.md for detailed key management and CI setup