stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
d92973d6fdeb259a3a8c5a67b0b6e95aaca8633f
git.stella-ops.org/docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md
StellaOps Bot d92973d6fd
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
sprints update
2025-11-25 07:49:24 +02:00

2.3 KiB
Raw Blame History

Mirror DSSE Revision — MIRROR-DSSE-REV-1501

Date: 2025-11-24 Owners: Mirror Creator Guild · Security Guild · Evidence Locker Guild Scope: Finalize DSSE layout and signing inputs for mirror bundles and time-anchor receipts used by Excititor/ExportCenter/CLI.

Decisions

  • Envelope & payload: Use DSSE with payload type application/vnd.stellaops.mirror+json;version=1. Payload contains deterministic manifest of mirror files (mirror.json) plus SHA256SUMS and SHA256SUMS.dsse references.
  • Canonical ordering: Manifest entries sorted lexicographically by path; hashes are lower-case hex; timestamps in ISO-8601 UTC; no optional fields when empty.
  • Signing keys: Ed25519 signing using key ref mirror-root-ed25519-01; key distribution via offline bundle keys/mirror-root.pub. Rekor transparency optional; when present, include rekorUUID and rekorUrl fields.
  • Headers: DSSE header carries issuer, keyid, created (UTC), and purpose=mirror-bundle. Detached header file stored at mirror/metadata/mirror.dsse.json to allow verification without payload extraction.
  • Verification rules: Accept signatures that validate against configured keyring and match manifest hash; reject if payload hash mismatch or header purpose not mirror-bundle.

Artefacts

  • Sample manifest + DSSE: out/mirror/thin/mirror-thin-m0-sample.tar.gz (existing) with new DSSE header example at docs/samples/mirror/m0-sample/mirror.dsse.json (hash: TBD by pipeline).
  • Key reference: docs/samples/mirror/mirror-root-ed25519-01.pub (fingerprint documented in manifest header).

Actions

  • Mirror Creator Guild to regenerate milestone bundle with DSSE header once export center schema aligns; publish hashes to SHA256SUMS.dsse.
  • Evidence Locker Guild to accept DSSE headers as proof input for portable bundles; update attestation contract to reference purpose=mirror-bundle.
  • Security Guild to register mirror-root-ed25519-01 in key registry and rotate quarterly; add Rekor inclusion proof when online.

Risks/Notes

  • Rekor optional path remains; offline installs skip transparency but must store DSSE header. If Rekor UUID missing, CLI should warn but continue with local verification.
  • Pending alignment with Export Center manifest v1.1; track deltas in future update if schema changes.