stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
d92973d6fdeb259a3a8c5a67b0b6e95aaca8633f
git.stella-ops.org/docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md
StellaOps Bot d92973d6fd
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
sprints update
2025-11-25 07:49:24 +02:00

26 lines
2.3 KiB
Markdown
Raw Blame History

# Mirror DSSE Revision — MIRROR-DSSE-REV-1501
Date: 2025-11-24
Owners: Mirror Creator Guild · Security Guild · Evidence Locker Guild
Scope: Finalize DSSE layout and signing inputs for mirror bundles and time-anchor receipts used by Excititor/ExportCenter/CLI.
## Decisions
- **Envelope & payload**: Use DSSE with payload type `application/vnd.stellaops.mirror+json;version=1`. Payload contains deterministic manifest of mirror files (`mirror.json`) plus `SHA256SUMS` and `SHA256SUMS.dsse` references.
- **Canonical ordering**: Manifest entries sorted lexicographically by `path`; hashes are lower-case hex; timestamps in ISO-8601 UTC; no optional fields when empty.
- **Signing keys**: Ed25519 signing using key ref `mirror-root-ed25519-01`; key distribution via offline bundle `keys/mirror-root.pub`. Rekor transparency optional; when present, include `rekorUUID` and `rekorUrl` fields.
- **Headers**: DSSE header carries `issuer`, `keyid`, `created` (UTC), and `purpose=mirror-bundle`. Detached header file stored at `mirror/metadata/mirror.dsse.json` to allow verification without payload extraction.
- **Verification rules**: Accept signatures that validate against configured keyring and match manifest hash; reject if payload hash mismatch or header `purpose` not `mirror-bundle`.
## Artefacts
- Sample manifest + DSSE: `out/mirror/thin/mirror-thin-m0-sample.tar.gz` (existing) with new DSSE header example at `docs/samples/mirror/m0-sample/mirror.dsse.json` (hash: TBD by pipeline).
- Key reference: `docs/samples/mirror/mirror-root-ed25519-01.pub` (fingerprint documented in manifest header).
## Actions
- Mirror Creator Guild to regenerate milestone bundle with DSSE header once export center schema aligns; publish hashes to `SHA256SUMS.dsse`.
- Evidence Locker Guild to accept DSSE headers as proof input for portable bundles; update attestation contract to reference `purpose=mirror-bundle`.
- Security Guild to register `mirror-root-ed25519-01` in key registry and rotate quarterly; add Rekor inclusion proof when online.
## Risks/Notes
- Rekor optional path remains; offline installs skip transparency but must store DSSE header. If Rekor UUID missing, CLI should warn but continue with local verification.
- Pending alignment with Export Center manifest v1.1; track deltas in future update if schema changes.
Reference in New Issue View Git Blame Copy Permalink