stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc9eec511b2065f7809dfc09abaaa34ccc16fb5c
git.stella-ops.org/docs/doctor/articles/compliance/attestation-signing.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

3.5 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.compliance.attestation-signing stellaops.doctor.compliance fail
compliance
attestation
signing
crypto

Attestation Signing Health

What It Checks

Monitors attestation signing capability by querying the Attestor service at /api/v1/signing/status. The check validates:

  • Key availability: whether a signing key is loaded and accessible (via keyAvailable in the response).
  • Key expiration: if the key has an expiresAt timestamp, the check fails when the key is already expired, warns when expiry is within 30 days, and passes otherwise.
  • Signing activity: reports the key type and the number of signatures produced in the last 24 hours.

The check only runs when Attestor:Url or Services:Attestor:Url is configured. It uses a 10-second HTTP timeout.

Condition Result
Attestor unreachable or HTTP error Fail
Key not available Fail
Key expired Fail
Key expires within 30 days Warn
Key available and not expiring soon Pass

Why It Matters

Attestation signing is the foundation of Stella Ops' evidence chain. Without a working signing key, the system cannot create attestations for releases, SBOM scans, or policy decisions. This breaks the entire compliance audit trail and makes releases unverifiable. Key expiration without timely rotation causes the same downstream impact as a missing key, but with no advance warning unless monitored.

Common Causes

  • HSM/KMS connectivity issue preventing key access
  • Key rotation in progress (brief window of unavailability)
  • Key expired or revoked without replacement
  • Permission denied on the key management backend
  • Attestor service unavailable or misconfigured endpoint URL

How to Fix

Docker Compose

Verify the Attestor service is running and the URL is correct:

# Check attestor container health
docker compose ps attestor

# Verify signing key status
docker compose exec attestor stella attestor key status

# If key is expired, rotate it
docker compose exec attestor stella attestor key rotate

# Ensure the URL is correct in your .env or compose override
# Attestor__Url=http://attestor:5082

Bare Metal / systemd

Check the Attestor service and key configuration:

# Check service status
sudo systemctl status stellaops-attestor

# Verify key status
stella attestor key status

# Test HSM/KMS connectivity
stella attestor hsm test

# Rotate an expired key
stella attestor key rotate

# If using appsettings.json, verify Attestor:Url is correct
cat /etc/stellaops/appsettings.json | jq '.Attestor'

Kubernetes / Helm

# Check attestor pod status
kubectl get pods -l app=stellaops-attestor

# Check signing key status
kubectl exec deploy/stellaops-attestor -- stella attestor key status

# Verify HSM/KMS connectivity from the pod
kubectl exec deploy/stellaops-attestor -- stella attestor hsm test

# Schedule key rotation via Helm values
helm upgrade stellaops ./charts/stellaops \
  --set attestor.keyRotation.enabled=true \
  --set attestor.keyRotation.scheduleBeforeExpiryDays=30

Verification

stella doctor run --check check.compliance.attestation-signing

Related Checks

  • check.compliance.evidence-rate — monitors evidence generation success rate, which depends on signing
  • check.compliance.provenance-completeness — verifies provenance records exist for releases (requires working signing)
  • check.compliance.evidence-integrity — verifies signatures on stored evidence
  • check.crypto.hsm — validates HSM/PKCS#11 module availability used by the signing key