stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs2/provenance/attestation-workflow.md
master bc4318ef97 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00

1.8 KiB
Raw Blame History

Attestation workflow

Purpose

  • Ensure all exported evidence includes DSSE signatures and transparency proofs.
  • Provide deterministic verification for online and air-gapped environments.

Workflow overview

  • Producer emits a payload and requests signing.
  • Signer validates policy and signs with tenant or keyless credentials.
  • Attestor wraps the payload in DSSE, records transparency data, and publishes bundles.
  • Export Center and Evidence Locker embed bundles in export artifacts.
  • Verifiers (CLI, services, auditors) validate signatures and proofs.

Payload types

  • StellaOps.BuildProvenance@1
  • StellaOps.SBOMAttestation@1
  • StellaOps.ScanResults@1
  • StellaOps.PolicyEvaluation@1
  • StellaOps.VEXAttestation@1
  • StellaOps.RiskProfileEvidence@1
  • StellaOps.PromotionAttestation@1

Signing and storage controls

  • Default is short-lived keyless signing; tenant KMS keys are supported.
  • Ed25519 and ECDSA P-256 are supported.
  • Payloads must exclude PII and secrets; redaction is required before signing.
  • Evidence Locker stores immutable copies with retention and legal hold.

Verification steps

  • Verify DSSE signature against trusted roots.
  • Confirm subject digest matches expected artifact.
  • Verify transparency proof when available.
  • Enforce freshness using attestation.max_age_days policy.
  • Record verification results in timeline events.

Offline posture

  • Bundles include DSSE, transparency proofs, and certificate chains.
  • Offline verification uses embedded proofs and cached trust roots.
  • Pending transparency entries are replayed when connectivity returns.

Related references

  • provenance/inline-provenance.md
  • security/forensics-and-evidence-locker.md
  • docs/modules/attestor/architecture.md
  • docs/modules/signer/architecture.md
  • docs/modules/export-center/architecture.md