stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs2/release/promotion-attestations.md
master bc4318ef97 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00

42 lines
1.4 KiB
Markdown
Raw Blame History

# Promotion attestations
Purpose
- Capture promotion-time evidence in a DSSE predicate for offline audit.
Predicate: stella.ops/promotion@v1
- subject: image name and digest.
- materials: SBOM and VEX digests with format and OCI uri.
- promotion: from, to, actor, timestamp, pipeline, ticket, notes.
- rekor: uuid, logIndex, inclusionProof, checkpoint.
- attestation: bundle_sha256 and optional witness.
Producer workflow
1. Resolve and freeze image digest.
2. Hash SBOM and VEX artifacts and publish to OCI if needed.
3. Obtain Rekor inclusion proof and checkpoint.
4. Build promotion predicate JSON.
5. Sign with Signer to produce DSSE bundle.
6. Store bundle in Evidence Locker and Export Center.
Verification flow
- Verify DSSE signature using trusted roots.
- Verify Merkle inclusion using the embedded proof and checkpoint.
- Hash SBOM and VEX artifacts and compare to materials digests.
- Confirm promotion metadata and ticket evidence.
Storage and APIs
- Signer: /api/v1/signer/sign/dsse
- Attestor: /api/v1/rekor/entries
- Export Center: serves promotion bundles for offline kits
- Evidence Locker: long-term retention of DSSE and proofs
Security considerations
- Promotion metadata is tenant scoped.
- Rekor proofs must be embedded for air-gap verification.
- Key rotation follows Signer and Authority policies.
Related references
- release/release-engineering.md
- provenance/attestation-workflow.md
- security/forensics-and-evidence-locker.md
Reference in New Issue View Git Blame Copy Permalink