git.stella-ops.org/docs/features/unchecked/attestor/offline-verification-system.md

Offline Verification System (Rekor Mirror, Local Log, Sigstore Bundle)

Module

Attestor

Status

IMPLEMENTED

Description

Offline Rekor receipt verification using local Merkle proof verification without network dependency. TileProxy provides local tile-based transparency log proxy with content-addressed storage. Sigstore bundle offline verifier with integration tests for air-gapped scenarios.

Implementation Details

• Offline Verifier: src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs -- verifies attestations offline using locally cached roots, Merkle proofs, and trust anchors. Implements Abstractions/IOfflineVerifier.cs.
• Offline Root Store: Services/FileSystemRootStore.cs -- stores trusted roots and checkpoint data on the local filesystem. Implements Abstractions/IOfflineRootStore.cs.
• Rule Bundle Signature Verifier: Services/RuleBundleSignatureVerifier.cs -- verifies signed policy rule bundles offline. Implements Abstractions/IRuleBundleSignatureVerifier.cs.
• Offline Verification Result: Models/OfflineVerificationResult.cs -- result model with pass/fail status and detailed check results.
• TileProxy Service: src/Attestor/StellaOps.Attestor.TileProxy/Services/TileProxyService.cs -- proxies and caches transparency log tiles for offline verification.
• Content-Addressed Tile Store: StellaOps.Attestor.TileProxy/Services/ContentAddressedTileStore.cs -- stores tiles by content hash for deduplication.
• Tile Sync Job: StellaOps.Attestor.TileProxy/Jobs/TileSyncJob.cs -- background job that syncs tiles from remote Rekor while online.
• Tile Endpoints: StellaOps.Attestor.TileProxy/Endpoints/TileEndpoints.cs -- HTTP endpoints for serving cached tiles.
• Rekor Offline Receipt Verifier: StellaOps.Attestor.Core/Verification/RekorOfflineReceiptVerifier.cs -- verifies Rekor receipts using locally cached data.
• Merkle Proof Verifier: StellaOps.Attestor.Core/Verification/MerkleProofVerifier.cs -- verifies Merkle inclusion proofs locally.
• Sigstore Bundle Verifier: __Libraries/StellaOps.Attestor.Bundle/SigstoreBundleVerifier.cs -- verifies Sigstore bundles offline.
• Tests: __Tests/StellaOps.Attestor.Offline.Tests/, __Tests/StellaOps.Attestor.TileProxy.Tests/

E2E Test Plan

• Verify an attestation offline via OfflineVerifier using cached roots from FileSystemRootStore and confirm verification passes
• Simulate air-gap: disable network, verify an attestation using locally cached tiles via TileProxyService, and confirm success
• Sync tiles via TileSyncJob while online, then verify those tiles are accessible offline via TileEndpoints
• Verify a Rekor receipt offline via RekorOfflineReceiptVerifier using cached checkpoint and Merkle proof
• Verify a Sigstore bundle offline via SigstoreBundleVerifier and confirm certificate chain and signature are valid
• Verify RuleBundleSignatureVerifier rejects a tampered policy rule bundle offline
• Verify ContentAddressedTileStore deduplicates tiles: store the same tile twice and verify only one copy exists
• Test OfflineVerificationResult captures detailed check results for each verification step (root validity, Merkle proof, signature)