stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/evidencelocker/provenance-bundle-export-and-independent-verification.md

2.3 KiB
Raw Blame History

Provenance Bundle Export and Independent Verification

Module

EvidenceLocker

Status

IMPLEMENTED

Description

Provenance attestation with build models, signers, and verification is implemented. EvidenceLocker supports tar.gz bundle export with Merkle tree integrity.

Implementation Details

  • Modules: src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/, src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/
  • Key Classes:
    • TarGzBundleExporter (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/TarGzBundleExporter.cs) - exports provenance bundles as tar.gz with Merkle tree
    • MerkleTreeBuilder (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/MerkleTreeBuilder.cs) - builds Merkle tree for bundle integrity verification
    • VerifyScriptGenerator (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/VerifyScriptGenerator.cs) - generates verification scripts for independent verification
    • EvidenceSignatureService (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs) - signs provenance bundles with DSSE
    • EvidencePortableBundleService (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidencePortableBundleService.cs) - creates portable provenance bundles
    • BundleManifest (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs) - manifest with provenance attestation references
  • Interfaces: IEvidenceBundleExporter, IEvidenceSignatureService
  • Source: Feature matrix scan

E2E Test Plan

  • Export a provenance bundle via TarGzBundleExporter and verify it contains SLSA provenance attestation and Merkle tree
  • Verify MerkleTreeBuilder computes correct Merkle root matching all bundle items
  • Verify VerifyScriptGenerator creates scripts that independently verify provenance signatures and Merkle root
  • Verify EvidenceSignatureService signs the provenance bundle and the signature is independently verifiable
  • Verify the exported bundle can be verified by a third party using only the bundle contents and public key
  • Verify EvidencePortableBundleService creates a self-contained portable bundle for air-gapped environments