git.stella-ops.org/docs/operations/evidence-locker-handoff.md

Evidence Locker Handoff (Signals & Zastava)

Inputs required (from Ops)

• EVIDENCE_LOCKER_URL (base URL, no trailing slash)
• CI_EVIDENCE_LOCKER_TOKEN (Bearer token with write to zastava/* and signals/*)
• Signals production signing key for final re-sign (one of):
  • COSIGN_PRIVATE_KEY_B64 (base64 of private key) + optional COSIGN_PASSWORD, or
  • key file at tools/cosign/cosign.key + password.

What’s ready (deterministic artefacts)

• Zastava tar: evidence-locker/zastava/2025-12-02/zastava-evidence.tar
  • sha256: e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9ac019cf0f1c9
• Signals tar (dev key): evidence-locker/signals/2025-12-05/signals-evidence.tar
  • sha256: a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d

Publish both bundles (once URL/token are available)

export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/upload-all-evidence.sh

Verify locally (hash + inner SHA lists)

• Zastava: ./tools/zastava-verify-evidence-tar.sh [path/to/zastava-evidence.tar]
• Signals: ./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]

Re-sign Signals for production trust (optional but recommended)

export COSIGN_PRIVATE_KEY_B64="<prod-key-b64>"
export COSIGN_PASSWORD="<pwd-if-any>"
OUT_DIR=evidence-locker/signals/2025-12-05 \
  tools/cosign/sign-signals.sh

# Rebuild + upload tar
./tools/signals-upload-evidence.sh

Notes

• All packaging is deterministic (tar --sort=name --mtime='UTC 1970-01-01' --owner=0 --group=0 --numeric-owner).
• Tlog upload is disabled for offline parity; Evidence Locker trust comes from the provided keys.
• Upload scripts exit non-zero on hash mismatch to prevent pushing corrupted artefacts.