e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil. - Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt. feat: Implement ILockRepository interface and LockRepository class - Defined ILockRepository interface with methods for acquiring and releasing locks. - Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations. feat: Add SurfaceManifestPointer record for manifest pointers - Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest. feat: Create PolicySimulationInputLock and related validation logic - Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests. - Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements. test: Add unit tests for ReplayVerificationService and ReplayVerifier - Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios. - Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic. test: Implement PolicySimulationInputLockValidatorTests - Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions. chore: Add cosign key example and signing scripts - Included a placeholder cosign key example for development purposes. - Added a script for signing Signals artifacts using cosign with support for both v2 and v3. chore: Create script for uploading evidence to the evidence locker - Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
Cosign binaries (runtime/signals signing)
Preferred (system)
- Version:
v3.0.2 - Path:
/usr/local/bin/cosign(installed on WSL Debian host) - Breaking change: v3 requires
--bundle <file>when signing blobs; older--output-signature/--output-certificatepairs are deprecated.
Offline fallback (repo-pinned)
- Version:
v2.6.0 - Binary:
tools/cosign/cosign→tools/cosign/v2.6.0/cosign-linux-amd64 - SHA256:
ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9 - Check:
cd tools/cosign/v2.6.0 && sha256sum -c cosign_checksums.txt --ignore-missing
Usage examples
- v3 DSSE blob:
cosign sign-blob --key cosign.key --predicate-type stella.ops/confidenceDecayConfig@v1 --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml - v3 verify:
cosign verify-blob --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml - To force offline fallback, export
PATH=./tools/cosign:$PATH(ensures v2.6.0 is used).
CI / secrets
- CI should provide a base64-encoded private key via secret
COSIGN_PRIVATE_KEY_B64and optional password inCOSIGN_PASSWORD. - Example bootstrap in jobs:
echo \"$COSIGN_PRIVATE_KEY_B64\" | base64 -d > /tmp/cosign.key chmod 600 /tmp/cosign.key COSIGN_PASSWORD=\"${COSIGN_PASSWORD:-}\" cosign version - For local dev, copy your own key to
tools/cosign/cosign.keyor exportCOSIGN_PRIVATE_KEY_B64before running signing scripts. Never commit real keys; onlycosign.key.examplelives in git.