stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bd78523564bb268967f604801b431d72ffbb1103
git.stella-ops.org/docs/modules/airgap/guides/promotion-rekor-tile-verification.md

2.6 KiB
Raw Blame History

Promotion Rekor Tile Verification (Air-Gap)

Purpose

Operational runbook for using Rekor tile material in air-gapped promotion gates.

Preconditions

  • Offline bundle includes tile/proof artifacts and trust roots.
  • Promotion gate is configured to consume offline proof references.
  • Operator has tenant-scoped Authority credentials.

Inputs

  • Promotion identifier
  • Evidence bundle identifier
  • Rekor tile/proof bundle from offline sync
  • Trust root set (Fulcio/KMS roots and Rekor checkpoint material)

Procedure

  1. Validate bundle integrity.
  2. Import tile/proof files into the local Attestor cache.
  3. Run offline verification for referenced DSSE envelopes.
  4. Attach verification outputs to promotion gate input payload.
  5. Execute promotion gate evaluation.
  6. Persist decision record with proof references.

Example Commands

# 1) verify portable evidence bundle
stella evidence verify --bundle portable-evidence-bundle.tgz --offline

# 2) import tile material
stella rekor tiles import --bundle rekor-tiles.tgz

# 3) verify inclusion proofs offline
stella rekor verify --offline --evidence-bundle-id <bundle-id>

# 4) run promotion gate preview with offline verification enabled
stella promotion preview-gates --promotion <promotion-id> --offline-rekor

Failure Modes

Failure mode Expected gate behavior Operator action
Missing tile/proof files Fail closed (deny or pending per policy) Re-sync offline bundle and retry verification
Invalid proof chain Fail closed Rotate trust roots or investigate tampering
Expired trust roots Fail closed Import updated trust bundle from connected zone
Break-glass enabled Explicitly auditable non-standard path Record reason/ticket and time-bound override

Offline QA Matrix (Deterministic)

  1. Valid tile/proof bundle produces identical verification output hash across repeated runs.
  2. Missing tile segment fails closed with stable reason code.
  3. Tampered inclusion proof fails closed with stable reason code.
  4. Expired trust root fails closed with stable reason code.
  5. Break-glass path emits explicit marker and does not masquerade as standard verification.

Audit Outputs

  • Promotion decision record id
  • Policy decision digest
  • Evidence bundle id
  • Rekor verification report reference
  • Break-glass marker (if used)

Related References

  • docs/modules/airgap/README.md
  • docs/modules/airgap/guides/proof-chain-verification.md
  • docs/modules/evidence-locker/promotion-evidence-contract.md
  • docs/modules/release-jobengine/promotion-runtime-gap-closure-plan.md