stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/checked/signer/fulcio-sigstore-keyless-signing-client.md
master cf5b72974f save checkpoint
2026-02-11 01:32:14 +02:00

9.9 KiB
Raw Blame History

Fulcio/Sigstore Keyless Signing Client

Module

Signer

Status

VERIFIED

Description

Fulcio-based keyless signing using OIDC tokens from CI runners, ephemeral key pairs, short-lived X.509 certificates, DSSE signing, and certificate chain validation. Tests exist for all components.

Implementation Details

  • KeylessDsseSigner: src/Signer/__Libraries/StellaOps.Signer.Keyless/KeylessDsseSigner.cs -- DSSE signer implementing Sigstore keyless workflow: (1) acquire OIDC token via IOidcTokenProvider, (2) generate ephemeral key pair via IEphemeralKeyGenerator, (3) serialize in-toto statement, (4) create proof-of-possession (SHA-256 hash signed with ephemeral key), (5) request short-lived certificate from Fulcio, (6) create DSSE signature using ephemeral key; returns SigningBundle with DsseEnvelope + certificate chain + signing identity metadata
  • EphemeralKeyGenerator: src/Signer/__Libraries/StellaOps.Signer.Keyless/EphemeralKeyGenerator.cs -- generates ECDSA P-256 key pairs using .NET crypto APIs; supports EcdsaP256 algorithm; Ed25519 placeholder for future .NET 9+ support
  • HttpFulcioClient: src/Signer/__Libraries/StellaOps.Signer.Keyless/HttpFulcioClient.cs -- HTTP client for Fulcio v2 API (/api/v2/signingCert): sends OIDC token + public key + proof-of-possession; parses PEM certificate chain from response; extracts OIDC issuer from Fulcio extension OID 1.3.6.1.4.1.57264.1.1; retry logic with exponential backoff; non-retryable errors (400/401/403) vs retryable (5xx)
  • SigstoreSigningService: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreSigningService.cs -- orchestrates full Sigstore keyless flow: ephemeral ECDSA P-256 key generation, Fulcio certificate request, artifact signing, Rekor transparency log upload; VerifyKeylessAsync validates signature, certificate validity, and Rekor entry timestamp within certificate window
  • IOidcTokenProvider: src/Signer/__Libraries/StellaOps.Signer.Keyless/IOidcTokenProvider.cs -- interface for OIDC token acquisition
  • AmbientOidcTokenProvider: src/Signer/__Libraries/StellaOps.Signer.Keyless/AmbientOidcTokenProvider.cs -- CI runner ambient OIDC token detection
  • EphemeralKeyPair: src/Signer/__Libraries/StellaOps.Signer.Keyless/EphemeralKeyPair.cs -- disposable key pair model with Sign method
  • ICertificateChainValidator: src/Signer/__Libraries/StellaOps.Signer.Keyless/ICertificateChainValidator.cs -- certificate chain validation interface
  • FulcioHttpClient: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/FulcioHttpClient.cs -- infrastructure-level Fulcio client
  • RekorHttpClient: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/RekorHttpClient.cs -- Rekor transparency log HTTP client
  • ISigstoreClients: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/ISigstoreClients.cs -- IFulcioClient and IRekorClient interfaces
  • SigstoreOptions: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreOptions.cs -- Fulcio URL, Rekor URL, RequireRekorEntry, retry/backoff config
  • Tests: src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Keyless/KeylessDsseSignerTests.cs, EphemeralKeyGeneratorTests.cs, HttpFulcioClientTests.cs, CertificateChainValidatorTests.cs, KeylessSigningIntegrationTests.cs
  • Source: Feature matrix scan

E2E Test Plan

  • Verify keyless signing produces a valid DSSE envelope with base64-encoded payload and signature
  • Verify certificate chain includes leaf certificate from Fulcio and intermediate/root certificates
  • Verify proof-of-possession is computed as SHA-256 hash of statement signed with ephemeral key
  • Test Fulcio client retry logic with exponential backoff on 5xx errors
  • Verify non-retryable Fulcio errors (400/401/403) fail immediately
  • Test keyless verification validates signature, certificate chain, and Rekor timestamp
  • Verify signing identity metadata includes OIDC issuer, subject, and certificate expiry
  • Test ephemeral key disposal after signing completes

Verification

  • Run ID: run-001
  • Date: 2026-02-10
  • Method: Tier 1 code review + Tier 2d existing test verification
  • Build: PASS (0 errors, 0 warnings)
  • Tests: PASS (491/491 signer tests pass)
  • Code Review:
    • KeylessDsseSigner: Full keyless workflow verified -- OIDC token acquisition, ephemeral key generation, proof-of-possession creation, Fulcio certificate request, DSSE envelope construction. Returns complete SigningBundle with envelope + certificate chain + identity metadata.
    • EphemeralKeyGenerator: ECDSA P-256 key pair generation using .NET ECDsa.Create(ECCurve.NamedCurves.nistP256). Disposable pattern correctly implemented. Ed25519 placeholder returns NotSupportedException.
    • HttpFulcioClient: Fulcio v2 API integration verified. PEM parsing, OID extraction (1.3.6.1.4.1.57264.1.1), retry with exponential backoff, non-retryable status code detection.
    • SigstoreSigningService: End-to-end orchestration of keyless signing + Rekor upload. VerifyKeylessAsync correctly validates signature, certificate chain, and Rekor timestamp within certificate validity window.
    • Tests: KeylessDsseSignerTests (mock-based unit tests), EphemeralKeyGeneratorTests (crypto validation), HttpFulcioClientTests (HTTP interaction tests), CertificateChainValidatorTests (chain validation), KeylessSigningIntegrationTests (end-to-end flow with test doubles).
  • Verdict: PASS

Recheck (Run-002)

  • Verified: 2026-02-10
  • Method: Tier 2a live API replay + Tier 1 regression suite replay.
  • Tests: PASS (496/496 signer tests pass).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-002/tier2-api-check.json
  • Regression Coverage Added: VerifyDsse_ReturnsVerifiedTrue_ForFreshSignature, VerifyDsse_ReturnsVerifiedFalse_WhenPayloadIsTampered.
  • Outcome: DSSE verification endpoint now validates signed envelopes and returns deterministic verified/unverified results.

Recheck (Run-003)

  • Verified: 2026-02-10
  • Method: Tier 2 follow-up deterministic replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-003/tier2-api-check.json
  • Outcome: DSSE sign/verify API boundary behavior remains stable.

Recheck (Run-004)

  • Verified: 2026-02-10
  • Method: Tier 2 replay + full Signer suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-004/tier2-api-check.json
  • Outcome: Keyless sign/verify API behavior remains stable.

Recheck (Run-005)

  • Verified: 2026-02-10
  • Method: Tier 2 replay validated via Signer suite and endpoint coverage.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-005/tier2-api-check.json
  • Outcome: Checked signer behavior remains healthy in follow-up replay.

Recheck (Run-006)

  • Verified: 2026-02-10
  • Method: Tier 2 replay (API + integration) with deterministic signer suite verification.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-006/tier2-api-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-007)

  • Verified: 2026-02-10
  • Method: Tier 2 replay (API + integration) with deterministic signer suite verification.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-007/tier2-api-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-008)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-008/tier2-api-check.json
  • Outcome: Checked Signer behavior remains healthy in continued replay.

Recheck (Run-009)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-009/tier2-api-check.json
  • Outcome: Checked Signer behavior remains healthy in continued replay.

Recheck (Run-010)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-010/tier2-integration-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-011)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-011/tier2-integration-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-012)

  • Verified: 2026-02-10
  • Method: Tier 2 replay + deterministic integration suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/fulcio-sigstore-keyless-signing-client/run-012/tier2-api-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.