2.0 KiB
2.0 KiB
DSSE (Dead Simple Signing Envelope) for Every Artifact
Module
Attestor
Status
IMPLEMENTED
Description
Comprehensive DSSE signing implementation across ProofChain, Envelope, and Spdx3 libraries with verification, pre-authentication encoding, and determinism tests.
Implementation Details
- Envelope Library:
src/Attestor/StellaOps.Attestor.Envelope/-- standalone DSSE envelope library withDsseEnvelope,DsseSignature,DsseEnvelopeSerializer,DssePreAuthenticationEncoding,EnvelopeSignatureService. - ProofChain DSSE:
__Libraries/StellaOps.Attestor.ProofChain/Signing/--ProofChainSigner.cs(with.Verification),DsseEnvelope.cs,DsseSignature.cs,IProofChainSigner.cs,IProofChainKeyStore.cs. - SPDX3 DSSE:
__Libraries/StellaOps.Attestor.Spdx3/--DsseSpdx3Signer.cs(with.Encoding,.SignAsync,.SignBuildProfile,.Verify),DsseSpdx3Envelope.cs,DsseSpdx3Signature.cs,IDsseSpdx3Signer.cs. - BinaryDiff DSSE:
__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffDsseSigner.cs,BinaryDiffDsseVerifier.cs. - Core DSSE:
StellaOps.Attestor.Core/Signing/DsseSigningService.cs,DssePreAuthenticationEncoding.cs. - Attestation DSSE:
StellaOps.Attestation/DsseHelper.cs,DsseVerifier.cs. - Determinism Tests:
__Tests/StellaOps.Attestor.ProofChain.Tests/Envelope/DsseEnvelopeDeterminismTests.cs
E2E Test Plan
- Sign an SBOM artifact via
DsseSpdx3Signerand verify the DSSE envelope wraps the SPDX3 payload - Sign a binary diff artifact via
BinaryDiffDsseSignerand verify the envelope - Sign a proof chain artifact via
ProofChainSignerand verify the envelope - Sign a core attestation via
DsseSigningServiceand verify the envelope - Verify each signed artifact type with its corresponding verifier
- Test determinism: sign the same payload twice and verify the PAE bytes are identical
- Verify cross-library compatibility: create an envelope with
EnvelopeSignatureService, verify withDsseVerifier