stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/attestor/in-toto-link-attestation-capture.md

3.0 KiB
Raw Blame History

In-toto Link Attestation Capture

Module

Attestor

Status

IMPLEMENTED

Description

The attestation pipeline supports DSSE-wrapped statements and proof chains, which follow in-toto patterns. However, the specific per-step in-toto link capture with in-toto-run wrappers as described is not directly implemented.

What's Implemented

  • In-Toto Link Model: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs -- in-toto link data model.
  • In-Toto Link Predicate: InToto/InTotoLinkPredicate.cs -- link predicate with materials and products.
  • Link Builder: InToto/LinkBuilder.cs -- builder for constructing in-toto links.
  • Link Recorder: InToto/LinkRecorder.cs -- records link data during step execution. Implements ILinkRecorder.cs.
  • In-Toto Link Emitter: InToto/IInTotoLinkEmitter.cs -- interface for emitting captured links.
  • In-Toto Link Signing Service: InToto/IInTotoLinkSigningService.cs with Infrastructure/InToto/InTotoLinkSigningService.cs -- signs captured links.
  • In-Toto Layout: InToto/Layout/InTotoLayout.cs -- layout defining expected supply chain steps.
  • Layout Verifier: InToto/Layout/LayoutVerifier.cs -- verifies links against layout. Implements ILayoutVerifier.cs.
  • Artifact Digests: InToto/ArtifactDigests.cs -- input/output artifact digest tracking.
  • Material Spec: InToto/MaterialSpec.cs -- material specification for links.
  • In-Toto Statement: __Libraries/StellaOps.Attestor.ProofChain/Statements/InTotoStatement.cs -- generic in-toto statement.
  • Link Contracts: WebService/Contracts/InTotoLinkContracts.cs -- API contracts for link operations.
  • Tests: Core.Tests/InToto/InTotoLinkTests.cs, InTotoGoldenTests.cs, ProofChain.Tests/Statements/InTotoStatementSnapshotTests.cs

What's Missing

  • in-toto-run wrapper: No CLI wrapper that automatically captures materials before and products after command execution (analogous to in-toto-run from the reference implementation).
  • Automatic link capture in CI: No CI integration that automatically records links for each pipeline step.
  • Link storage and retrieval API: No REST endpoint for storing and querying captured links by step name or functionary.
  • Multi-functionary layout verification: Layout verification exists but multi-functionary threshold verification (k-of-n) may not be fully wired.
  • Link chain verification: No end-to-end verification that all links in a layout chain are present and valid.

Implementation Plan

  • Implement an in-toto-run CLI command wrapping command execution with automatic material/product capture
  • Add CI step link capture via webhook or plugin integration
  • Create REST endpoints for link storage and retrieval in ProofChainController
  • Complete multi-functionary threshold verification in LayoutVerifier
  • Implement end-to-end link chain verification
  • Add tests for CLI wrapper, CI capture, and chain verification

Related Documentation

  • Source: See feature catalog