bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
1.4 KiB
1.4 KiB
Promotion attestations
Purpose
- Capture promotion-time evidence in a DSSE predicate for offline audit.
Predicate: stella.ops/promotion@v1
- subject: image name and digest.
- materials: SBOM and VEX digests with format and OCI uri.
- promotion: from, to, actor, timestamp, pipeline, ticket, notes.
- rekor: uuid, logIndex, inclusionProof, checkpoint.
- attestation: bundle_sha256 and optional witness.
Producer workflow
- Resolve and freeze image digest.
- Hash SBOM and VEX artifacts and publish to OCI if needed.
- Obtain Rekor inclusion proof and checkpoint.
- Build promotion predicate JSON.
- Sign with Signer to produce DSSE bundle.
- Store bundle in Evidence Locker and Export Center.
Verification flow
- Verify DSSE signature using trusted roots.
- Verify Merkle inclusion using the embedded proof and checkpoint.
- Hash SBOM and VEX artifacts and compare to materials digests.
- Confirm promotion metadata and ticket evidence.
Storage and APIs
- Signer: /api/v1/signer/sign/dsse
- Attestor: /api/v1/rekor/entries
- Export Center: serves promotion bundles for offline kits
- Evidence Locker: long-term retention of DSSE and proofs
Security considerations
- Promotion metadata is tenant scoped.
- Rekor proofs must be embedded for air-gap verification.
- Key rotation follows Signer and Authority policies.
Related references
- release/release-engineering.md
- provenance/attestation-workflow.md
- security/forensics-and-evidence-locker.md