150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
1.3 KiB
1.3 KiB
Mirror Bundles (Airgap 56-003)
Defines the mirror bundle format and validation workflow for sealed deployments.
Contents
- Images/charts: OCI artifacts exported with digests + SBOMs.
- Manifests:
manifest.jsonwith entries:bundleId,mirrorGeneration,createdAt,producer(export center),hashes(sha256 list)dsseEnvelopeHashfor signed manifest (if available)files[]: path, sha256, size, mediaType
- Transparency: optional TUF metadata (
timestamp.json,snapshot.json) for replay protection.
Validation steps
- Verify
manifest.jsonsha256 matches provided hash. - If DSSE present, verify signature against offline trust roots.
- Validate Merkle root (if included) over
files[]hashes. - For each OCI artifact, confirm digest matches and SBOM present.
- Record
mirrorGenerationand manifest hash; store in audit log and timeline event.
Workflow
- Export Center produces bundle + manifest; Attestor/Excititor importers validate before ingest.
- Bundle consumers must refuse imports if any hash/signature fails.
- Keep format stable; any schema change bumps
manifestVersioninmanifest.json.
Determinism
- Sort
files[]by path; compute hashes with UTF-8 canonical paths. - Use ISO-8601 UTC timestamps in manifests.
- Do not include host-specific paths or timestamps in tar layers.