stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/signature-required-policy-gate.md

2.6 KiB
Raw Blame History

Signature Required Policy Gate (SignatureRequiredGate)

Module

Policy

Status

IMPLEMENTED

Description

Policy gate requiring valid cryptographic signatures on release artifacts before promotion, with configurable signing key allowlists, certificate chain validation, and Rekor inclusion proof requirements.

Implementation Details

  • PolicyGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
    • Evidence Completeness gate (first in pipeline) verifies signature presence
    • Signature requirements configurable per environment
    • Gate result types: Pass (valid signature), Block (missing/invalid signature)
  • VexTrustGate: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs
    • RequireIssuerVerified per-environment: production=true, staging=true, development=false
    • Issuer signature verification as part of VEX trust evaluation
  • VexTrustGateOptions: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs
    • Per-environment signing requirements (RequireIssuerVerified flag)
    • FailureAction: Warn or Block when signature verification fails
  • EvidenceRequirementValidator: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs
    • DSSE signature verification for evidence attestations
    • Validates signed evidence meets trust requirements
  • VerdictAttestationService: src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs
    • DSSE-signed verdict attestations with certificate chain
  • KnowledgeSnapshotManifest: src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs
    • TrustBundleRef (BundleId, Digest, Uri) for trust anchor set
    • Signature field on manifest for optional DSSE signing

E2E Test Plan

  • Evaluate artifact with valid signature from allowed key; verify gate passes
  • Evaluate artifact without signature; verify gate blocks with "missing signature" message
  • Evaluate artifact with signature from key not in allowlist; verify gate blocks
  • Configure environment requiring issuer verification; provide unverified issuer; verify gate blocks
  • Configure environment not requiring issuer verification (development); provide unsigned VEX; verify gate passes
  • Evaluate artifact with expired certificate; verify gate blocks with certificate validation error
  • Verify DSSE envelope structure on verdict attestation includes valid signature
  • Verify TrustBundleRef in KnowledgeSnapshotManifest references correct trust anchor set
  • Verify EvidenceRequirementValidator validates DSSE signature on evidence attestation