1.8 KiB
1.8 KiB
checkId, plugin, severity, tags
| checkId | plugin | severity | tags | ||||
|---|---|---|---|---|---|---|---|
| check.verification.signature | stellaops.doctor.verification | fail |
|
Signature Verification
What It Checks
Requires the verification plugin plus a test artifact. In offline mode it looks for DSSE-style signature material in the bundle. In online mode it checks Sigstore:Enabled and verifies the Rekor log endpoint is reachable.
The check reports info when Sigstore is disabled, and fails when the offline bundle is missing or Rekor cannot be reached.
Why It Matters
Signature verification is the minimum control that proves the artifact under review was signed by the expected supply-chain path.
Common Causes
Sigstore__Enabledis false- Rekor URL is unreachable from the Doctor workload
- Offline bundles were exported without signatures
How to Fix
Docker Compose
services:
doctor-web:
environment:
Sigstore__Enabled: "true"
Sigstore__RekorUrl: https://rekor.sigstore.dev
docker compose -f devops/compose/docker-compose.stella-ops.yml exec doctor-web curl -fsS https://rekor.sigstore.dev/api/v1/log
For offline verification:
stella verification bundle export --include-signatures --output /var/lib/stella/verification/offline-bundle.json
Bare Metal / systemd
Ensure the Doctor host trusts the CA chain used by the Rekor endpoint or use the approved internal Rekor deployment.
Kubernetes / Helm
Prefer an internal Rekor service URL in disconnected or regulated clusters.
Verification
stella doctor --check check.verification.signature
Related Checks
check.attestation.rekor.connectivity- validates the transparency log path more directlycheck.verification.artifact.pull- signature checks need a reachable artifact reference