stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
e53a282fbea6cfd9aeb10e5909d03fa3a5ccd307
git.stella-ops.org/docs/modules/mirror/signing-runbook.md
StellaOps Bot 47168fec38 feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00

2.8 KiB
Raw Blame History

Mirror bundle signing runbook (CI)

Prerequisites

  • Ed25519 private key (PEM). Keep in CI secrets only.
  • Base64-encode the PEM: base64 -w0 mirror-ci-ed25519.pem > mirror-ci-ed25519.pem.b64.
  • Create CI secret MIRROR_SIGN_KEY_B64 with that value.

Pipeline step (Gitea example)

- name: Build/sign mirror thin bundle
  env:
    MIRROR_SIGN_KEY_B64: ${{ secrets.MIRROR_SIGN_KEY_B64 }}
    REQUIRE_PROD_SIGNING: 1
    OCI: 1
    TENANT_SCOPE: tenant-demo
    ENV_SCOPE: lab
  run: |
    scripts/mirror/check_signing_prereqs.sh
    scripts/mirror/ci-sign.sh

Outputs are placed under out/mirror/thin/ and out/mirror/thin/oci/; archive these as artifacts.

How to add the secret in Gitea (one-time)

  1. Repository → Settings → Secrets.
  2. New secret: name MIRROR_SIGN_KEY_B64, value = base64-encoded Ed25519 PEM (no newlines, no header/footer).
  3. Scope: repository (or environment-specific if needed).
  4. Save. The pipeline step will skip if the secret is empty; keep it present in release branches only.

Local dry-run with test key

MIRROR_SIGN_KEY_B64=$(base64 -w0 out/mirror/thin/tuf/keys/mirror-ed25519-test-1.pem) \
OCI=1 scripts/mirror/ci-sign.sh

Temporary dev key (to unblock CI until production key is issued)

Use this throwaway Ed25519 key only for non-production runs. Generated 2025-11-24 to replace the previous placeholder; rotate TUF metadata immediately after swapping in the production key.

MIRROR_SIGN_KEY_B64=LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUxGdFMwbjBpMVVueE1maGt0cDNlY1N4WHVxYmcrVFJuaENhS05jaGtTbFIKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=

Do not ship with this key. Set REQUIRE_PROD_SIGNING=1 for release/tag builds so they fail without the real key. Add the production key as a Gitea secret (MIRROR_SIGN_KEY_B64) and rerun the workflow; remove this temporary key block once rotated.

Verification

The CI step already runs scripts/mirror/verify_thin_bundle.py --bundle-meta mirror-thin-v1.bundle.json --tenant $TENANT_SCOPE --environment $ENV_SCOPE --pubkey out/mirror/thin/tuf/keys/ci-ed25519.pub so offline-kit policies (OK1OK10), Rekor policy (RK1RK10), and mirror-format policy (MS1MS10) are validated alongside the tarball. For OCI, ensure out/mirror/thin/oci/index.json references the manifest digest.

milestone.json now carries manifest/tar/bundle/bundle-dsse hashes plus policy layer hashes to allow air-gapped import verification.

Fallback (if secret absent)

  • CI can fall back to an embedded test Ed25519 key when MIRROR_SIGN_KEY_B64 is unset only when REQUIRE_PROD_SIGNING is not set. This is for dev smoke runs; release/tag jobs must set REQUIRE_PROD_SIGNING=1 to forbid fallback.
  • For release branches, always set REQUIRE_PROD_SIGNING=1 and provide MIRROR_SIGN_KEY_B64; otherwise the step will fail early.