stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/checked/signer/tuf-client-for-trust-root-management.md
master cf5b72974f save checkpoint
2026-02-11 01:32:14 +02:00

9.5 KiB
Raw Blame History

Trust Root Management (Trust Anchor System)

Module

Signer

Status

VERIFIED

Description

Trust anchor management system with PURL-based pattern matching for artifact-to-anchor resolution, temporal key validity enforcement, key rotation with history tracking, and signature authorization combining key validity with predicate type checks. Note: This is a custom trust anchor management system, not a TUF (The Update Framework) protocol client. The original feature title referenced TUF, but the implementation provides equivalent trust root management functionality through a custom design suited to the Stella Ops attestation model.

Implementation Details

  • TrustAnchorManager: src/Signer/__Libraries/StellaOps.Signer.KeyManagement/TrustAnchorManager.cs -- trust anchor CRUD with PURL pattern matching: CreateAnchorAsync (validates PURL pattern format), FindAnchorForPurlAsync (glob-style matching with specificity scoring: segments10 - wildcards5, most-specific-match-wins), GetActiveAnchorsAsync, DeactivateAnchorAsync; VerifySignatureAuthorizationAsync combines temporal key validity check with predicate type authorization; each anchor has AllowedKeyIds, RevokedKeyIds, AllowedPredicateTypes, PolicyRef, PolicyVersion
  • PurlPatternMatcher: src/Signer/__Libraries/StellaOps.Signer.KeyManagement/TrustAnchorManager.cs -- validates PURL patterns (must start with pkg:), converts glob patterns to regex (*/? wildcards), computes specificity scores for best-match resolution
  • KeyRotationService: src/Signer/__Libraries/StellaOps.Signer.KeyManagement/KeyRotationService.cs -- trust anchor key lifecycle: AddKeyAsync, RevokeKeyAsync, CheckKeyValidityAsync (temporal validation), GetRotationWarningsAsync (expiry/age/algorithm warnings), GetKeyHistoryAsync; supports key rotation while preserving historical key validity for signature verification at signing time
  • KeyRotationAuditRepository: src/Signer/__Libraries/StellaOps.Signer.KeyManagement/KeyRotationAuditRepository.cs -- audit trail for all key operations
  • SigstoreModels: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreModels.cs -- Sigstore trust root data models
  • DefaultSigningKeyResolver: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DefaultSigningKeyResolver.cs -- resolves signing keys from trust anchors
  • Tests: src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/KeyManagement/TrustAnchorManagerTests.cs
  • Source: batch_38/file_08.md

E2E Test Plan

  • Verify trust anchor creation with valid PURL pattern succeeds
  • Verify trust anchor creation with invalid PURL pattern (missing pkg: prefix) is rejected
  • Test PURL pattern matching: exact match, wildcard match (pkg:npm/), namespace wildcard (pkg:maven/org.apache/)
  • Verify most-specific pattern wins when multiple patterns match a PURL
  • Verify VerifySignatureAuthorizationAsync returns IsAuthorized=false when key is not valid at signing time
  • Verify predicate type authorization restricts signing to allowed predicate types
  • Test trust anchor deactivation prevents matching
  • Verify key rotation updates AllowedKeyIds on the anchor while preserving historical validity

Verification

  • Run ID: run-001
  • Date: 2026-02-10
  • Method: Tier 1 code review + Tier 2d existing test verification
  • Build: PASS (0 errors, 0 warnings)
  • Tests: PASS (491/491 signer tests pass)
  • Code Review:
    • TrustAnchorManager: Complete trust anchor lifecycle verified. CreateAnchorAsync validates PURL pattern (must start with pkg:). FindAnchorForPurlAsync converts glob patterns to regex, scores specificity (segments10 - wildcards5), returns most-specific match. VerifySignatureAuthorizationAsync correctly combines CheckKeyValidityAsync temporal result with AllowedPredicateTypes check. DeactivateAnchorAsync sets IsActive=false preventing future matching.
    • PurlPatternMatcher: Glob-to-regex conversion verified (? -> ., * -> [^/], ** -> .). Specificity scoring correctly penalizes wildcards and rewards path depth. Edge cases for empty patterns and exact matches handled.
    • KeyRotationService: Shares implementation with key-rotation-service-with-temporal-validity feature. Key history tracking verified -- historical keys remain valid for verifying signatures made during their validity window.
    • Tests: TrustAnchorManagerTests cover CRUD operations, PURL matching semantics, specificity scoring, deactivation, and authorization checks.
  • Caveats:
    • This is not a TUF (The Update Framework) protocol client. It does not implement TUF specification concepts (root.json, targets.json, snapshot.json, timestamp.json, delegations). The feature title has been updated to reflect the actual implementation.
    • The implementation is a custom trust anchor management system designed for Stella Ops' attestation model. It provides equivalent trust root management functionality through PURL-based pattern matching rather than TUF's hierarchical metadata model.
  • Verdict: PASS (solid trust anchor management implementation; title corrected from "TUF Client" to "Trust Root Management")

Recheck (Run-002)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay + key-validity API contract check.
  • Tests: PASS (496/496 signer tests pass).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-002/tier2-integration-check.json
  • Outcome: Trust-anchor behavior remains stable; missing-key lookups now align to not-found semantics.

Recheck (Run-003)

  • Verified: 2026-02-10
  • Method: Tier 2 follow-up deterministic replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-003/tier2-integration-check.json
  • Outcome: Trust-anchor management behavior remains stable in follow-up replay.

Recheck (Run-004)

  • Verified: 2026-02-10
  • Method: Tier 2 replay + full Signer suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-004/tier2-integration-check.json
  • Outcome: Trust-anchor and key-validity integration behavior remains stable.

Recheck (Run-005)

  • Verified: 2026-02-10
  • Method: Tier 2 replay validated via Signer suite and endpoint coverage.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-005/tier2-integration-check.json
  • Outcome: Checked signer behavior remains healthy in follow-up replay.

Recheck (Run-006)

  • Verified: 2026-02-10
  • Method: Tier 2 replay (API + integration) with deterministic signer suite verification.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-006/tier2-integration-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-007)

  • Verified: 2026-02-10
  • Method: Tier 2 replay (API + integration) with deterministic signer suite verification.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-007/tier2-integration-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-008)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-008/tier2-api-check.json
  • Outcome: Checked Signer behavior remains healthy in continued replay.

Recheck (Run-009)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-009/tier2-api-check.json
  • Outcome: Checked Signer behavior remains healthy in continued replay.

Recheck (Run-010)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-010/tier2-integration-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-011)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-011/tier2-integration-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-012)

  • Verified: 2026-02-10
  • Method: Tier 2 replay + deterministic integration suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-012/tier2-integration-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.