stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
e53a282fbea6cfd9aeb10e5909d03fa3a5ccd307
git.stella-ops.org/docs/modules/attestor/airgap.md
StellaOps Bot 9f6e6f7fb3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
up
2025-11-25 22:09:44 +02:00

43 lines
2.2 KiB
Markdown
Raw Blame History

# Attestor Air-Gap Guide (DOCS-ATTEST-75-001)
Last updated: 2025-11-25
## Goal
Run attestation verification entirely offline while keeping determinism and tenant safety intact.
## Inputs & prerequisites
- **Trust bundle**: DSSE signing keys + certificate chains packaged under `out/offline/attestor/trust-bundle/` (hash manifest included).
- **Transparency checkpoints (optional)**: Rekor or equivalent checkpoints mirrored to `out/offline/attestor/transparency/`.
- **Authority scopes**: `attest:verify` and tenant scoping (`X-Stella-Tenant`) are still required even in sealed mode.
- **No external calls**: Outbound network must be disabled; attestor uses only the provided bundles.
## Configuration (sealed mode)
Set the following environment flags on WebService/Worker:
- `Attestor__Offline__Enabled=true`
- `Attestor__TrustBundlePath=/app/offline/trust-bundle`
- `Attestor__Transparency__CheckpointPath=/app/offline/transparency` (optional)
- `Attestor__Verification__DisableHttpFetch=true`
Mount the bundle directories read-only; keep hashes alongside the payloads for audit.
## Verification flow (offline)
1. Client submits a DSSE envelope to `/api/v1/attestations/verify` with tenant header.
2. Service loads keys from the offline trust bundle; issuer lookup is strictly local.
3. If transparency data is present, the server verifies inclusion against the mirrored checkpoint; otherwise it records `transparency=skipped` in the rationale.
4. Result is returned with deterministic fields: `subject`, `statementDigest`, `verified=true|false`, `transparency=passed|skipped|failed`, `rationale[]`.
## Determinism safeguards
- All hashes are lowercase hex; timestamps are UTC ISO-8601.
- Sorting: multiple statements are ordered by `subject` then `statementDigest`.
- No network retries or clock drift compensation; rely on bundle timestamps.
## Operations checklist
- [ ] Refresh trust bundle hashes before each deploy; compare against signed manifest.
- [ ] Rotate keys by replacing the bundle atomically; restart workers to pick up changes.
- [ ] Record verification results in the delivery ledger for replay/audit.
## Related docs
- `docs/modules/attestor/overview.md`
- `docs/modules/attestor/keys-and-issuers.md`
- `docs/modules/attestor/transparency.md`
Reference in New Issue View Git Blame Copy Permalink