stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/periodic-rekor-verification-job.md

2.9 KiB
Raw Blame History

Periodic Rekor Verification Job

Module

Attestor

Status

IMPLEMENTED

Description

Scheduled background job that periodically re-verifies Rekor transparency log entries to detect post-compromise tampering, with metrics emission, health check integration, and a dedicated Doctor plugin for verification status monitoring.

Implementation Details

  • Rekor Verification Job: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/RekorVerificationJob.cs -- scheduled background job that re-verifies Rekor entries on a configurable interval.
  • Rekor Verification Service: Verification/RekorVerificationService.cs -- service that performs the actual verification (inclusion proof, checkpoint consistency). Implements IRekorVerificationService.cs.
  • Verification Metrics: Verification/RekorVerificationMetrics.cs -- emits metrics: entries verified, failures detected, verification duration.
  • Health Check: Verification/RekorVerificationHealthCheck.cs -- ASP.NET health check reporting Rekor verification status.
  • Checkpoint Divergence Detector: StellaOps.Attestor.Core/Rekor/CheckpointDivergenceDetector.cs -- detects checkpoint divergence between local and remote Rekor log. Implements ICheckpointDivergenceDetector.cs.
  • Divergence Alert Publisher: Rekor/CheckpointDivergenceAlertPublisher.cs -- publishes alerts when checkpoint divergence is detected.
  • Rekor Inclusion Verification: Rekor/RekorInclusionVerificationResult.cs -- result of verifying a single entry's inclusion proof.
  • Merkle Proof Verifier: Verification/MerkleProofVerifier.cs -- verifies Merkle inclusion proofs for Rekor entries.
  • Offline Receipt Verifier: Verification/RekorOfflineReceiptVerifier.cs -- verifies Rekor receipts without network access.
  • Verification Report: Verification/VerificationReport.cs -- aggregate report of all verification results for a run.
  • Tests: __Tests/StellaOps.Attestor.Core.Tests/RekorVerificationJobTests.cs

E2E Test Plan

  • Run RekorVerificationJob against a set of persisted Rekor entries and verify all entries are re-verified successfully
  • Tamper with a persisted Rekor entry's inclusion proof and verify the job detects the failure via RekorVerificationService
  • Verify RekorVerificationMetrics emits correct counts: entries_verified, failures_detected, duration_ms
  • Verify RekorVerificationHealthCheck reports Healthy when all entries verify and Unhealthy when failures are detected
  • Simulate checkpoint divergence via CheckpointDivergenceDetector (local checkpoint ahead of remote) and verify CheckpointDivergenceAlertPublisher fires
  • Verify MerkleProofVerifier correctly validates inclusion proofs for Rekor entries
  • Verify VerificationReport contains a summary of all checks with pass/fail status per entry
  • Run the verification job with network disabled and verify RekorOfflineReceiptVerifier handles offline mode