stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
e53a282fbea6cfd9aeb10e5909d03fa3a5ccd307
git.stella-ops.org/docs/modules/mirror/provenance/observers.md
StellaOps Bot cce96f3596
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
blockers 2
2025-11-23 14:54:17 +02:00

1.3 KiB
Raw Blame History

PROV-OBS-53-001 draft: provenance observers for mirror bundles

Goal: allow downstream services to verify mirror bundle manifests and tarballs using published hashes and (when available) DSSE/TUF signatures.

Inputs

  • Manifest: out/mirror/thin/mirror-thin-v1.manifest.json
  • Tarball: out/mirror/thin/mirror-thin-v1.tar.gz
  • Hashes: .sha256 files adjacent to artefacts
  • (Future) DSSE envelope + TUF metadata under out/mirror/thin/tuf/

Observer checks (draft)

  1. Hash verification: recompute SHA256 for manifest and tarball; compare to .sha256 files.
  2. Schema check: ensure manifest fields version, created, layers[], indexes[] exist; all digests are sha256:.
  3. Determinism: verify tar entry order matches manifest order and tar headers are owner=0:0, mtime=0, sorted paths.
  4. Optional DSSE: once available, verify DSSE envelope signature over manifest using mirror-ed25519-test-1 public key.
  5. Optional TUF: once available, verify timestamp.json -> snapshot.json -> targets.json -> artefact hashes.

Implementation notes

  • These checks can be implemented as a small CLI (Go/C#/Python). For now, reference artefacts live in out/mirror/thin/ for test runners.
  • Determinism probe: tar --list --utc --full-time -vvf mirror-thin-v1.tar.gz should show epoch mtimes and sorted entries.