stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs2/security/crypto-and-trust.md
master bc4318ef97 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00

38 lines
1.3 KiB
Markdown
Raw Blame History

# Crypto profiles and trust
StellaOps supports regional crypto profiles and offline trust roots. Profiles
control signing algorithms, verification rules, and provider selection.
Crypto profiles
- Compliance profile id: world, fips, gost, sm, kcmvp, eidas.
- Provider registry selects preferred crypto implementations.
- Simulation mode provides a remote signer for pre-certification testing.
Trust and signing
- DSSE is the default for bundle manifests and attestations.
- Trust roots are distributed in RootPack snapshots for offline validation.
- Optional TUF metadata can be bundled in sealed environments.
Signed time anchors
- Offline time anchors include issuedAt, notAfter, and signature.
- Time anchors are verified locally against trust roots.
Rotation
- Rotate roots with overlapping validity windows.
- Ship new roots in the next offline bundle and re-sign manifests.
- Maintain audit logs for rotation events.
Evidence expectations
- JWKS exports for active providers.
- Fixed-message sign and verify logs for audit trails.
Related references
- docs/security/crypto-profile-configuration.md
- docs/security/trust-and-signing.md
- docs/security/crypto-simulation-services.md
- docs/security/crypto-compliance.md
- docs/airgap/staleness-and-time.md
- operations/key-rotation.md
- provenance/rekor-policy.md
- release/promotion-attestations.md
Reference in New Issue View Git Blame Copy Permalink