stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/attestation-bundle-verification.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.1 KiB
Raw Blame History

Attestation Bundle Verification

Module

Attestor

Status

VERIFIED

Description

Sigstore bundle verification with dedicated verifier and bundler services for validating attestation integrity.

Implementation Details

  • Sigstore Bundle Verifier: src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Verification/SigstoreBundleVerifier.cs -- verifies Sigstore bundles including signature validation and transparency log verification.
  • Bundle Verification Result: BundleVerificationResult.cs -- result model with pass/fail status and detailed error messages.
  • Sigstore Bundle Model: src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Models/SigstoreBundle.cs -- represents a Sigstore bundle with VerificationMaterial, TransparencyLogEntry, and InclusionProof.
  • Bundle Builder: src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Builder/SigstoreBundleBuilder.cs -- constructs Sigstore bundles from attestation components.
  • Bundle Serializer: src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Serialization/SigstoreBundleSerializer.cs -- JSON serialization/deserialization of Sigstore bundles.
  • Attestation Bundler: src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/AttestationBundler.cs -- high-level bundling service implementing IAttestationBundler. Aggregates multiple attestations into bundles.
  • Bundle Aggregator: IBundleAggregator.cs -- interface for aggregating attestations.
  • Bundle Store: IBundleStore.cs -- persistence interface for bundles.
  • Org Key Signing: Signing/KmsOrgKeySigner.cs -- signs bundles with organization-level KMS keys.
  • Verification Engine: src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs -- top-level verification engine that orchestrates bundle and attestation verification.
  • Tests: __Tests/StellaOps.Attestor.Bundle.Tests/SigstoreBundleVerifierTests.cs, SigstoreBundleBuilderTests.cs, SigstoreBundleSerializerTests.cs, __Tests/StellaOps.Attestor.Bundling.Tests/AttestationBundlerTests.cs

E2E Test Plan

  • Build a Sigstore bundle via SigstoreBundleBuilder with a signed attestation, inclusion proof, and verification material, then verify it via SigstoreBundleVerifier
  • Serialize a SigstoreBundle to JSON via SigstoreBundleSerializer, deserialize it back, and verify round-trip fidelity
  • Tamper with the inclusion proof in a bundle and verify SigstoreBundleVerifier returns a failed BundleVerificationResult with error details
  • Use AttestationBundler to aggregate 3+ attestations into a single bundle and verify the bundle contains all attestation entries
  • Sign a bundle with KmsOrgKeySigner and verify the org-level signature is present in the output
  • Run AttestorVerificationEngine against a valid bundle and verify all verification checks pass
  • Run AttestorVerificationEngine against a bundle with an invalid signature and verify it reports the specific check that failed

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001