stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs2/provenance/attestation-workflow.md
master bc4318ef97 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00

47 lines
1.8 KiB
Markdown
Raw Blame History

# Attestation workflow
Purpose
- Ensure all exported evidence includes DSSE signatures and transparency proofs.
- Provide deterministic verification for online and air-gapped environments.
Workflow overview
- Producer emits a payload and requests signing.
- Signer validates policy and signs with tenant or keyless credentials.
- Attestor wraps the payload in DSSE, records transparency data, and publishes bundles.
- Export Center and Evidence Locker embed bundles in export artifacts.
- Verifiers (CLI, services, auditors) validate signatures and proofs.
Payload types
- StellaOps.BuildProvenance@1
- StellaOps.SBOMAttestation@1
- StellaOps.ScanResults@1
- StellaOps.PolicyEvaluation@1
- StellaOps.VEXAttestation@1
- StellaOps.RiskProfileEvidence@1
- StellaOps.PromotionAttestation@1
Signing and storage controls
- Default is short-lived keyless signing; tenant KMS keys are supported.
- Ed25519 and ECDSA P-256 are supported.
- Payloads must exclude PII and secrets; redaction is required before signing.
- Evidence Locker stores immutable copies with retention and legal hold.
Verification steps
- Verify DSSE signature against trusted roots.
- Confirm subject digest matches expected artifact.
- Verify transparency proof when available.
- Enforce freshness using attestation.max_age_days policy.
- Record verification results in timeline events.
Offline posture
- Bundles include DSSE, transparency proofs, and certificate chains.
- Offline verification uses embedded proofs and cached trust roots.
- Pending transparency entries are replayed when connectivity returns.
Related references
- provenance/inline-provenance.md
- security/forensics-and-evidence-locker.md
- docs/modules/attestor/architecture.md
- docs/modules/signer/architecture.md
- docs/modules/export-center/architecture.md
Reference in New Issue View Git Blame Copy Permalink