stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/dsse-envelope-signing-for-attestations.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.9 KiB
Raw Blame History

DSSE Envelope Signing for Attestations

Module

Attestor

Status

VERIFIED

Description

DSSE envelope creation, signing, verification, and serialization are fully implemented across multiple Attestor libraries. The advisory proposed DSSE signing as part of a batch sweep experiment; the signing infrastructure is production-ready.

Implementation Details

  • Envelope Library: src/Attestor/StellaOps.Attestor.Envelope/ -- dedicated DSSE envelope library:
    • DsseEnvelope.cs -- envelope model with payload and signatures
    • DsseSignature.cs -- signature model with key ID and signature bytes
    • DsseEnvelopeSerializer.cs -- JSON serialization with options (DsseEnvelopeSerializationOptions.cs, DsseEnvelopeSerializationResult.cs)
    • DssePreAuthenticationEncoding.cs -- PAE (Pre-Authentication Encoding) per DSSE spec
    • DsseCompressionAlgorithm.cs -- payload compression support
    • DsseDetachedPayloadReference.cs -- detached payload references
    • EnvelopeSignatureService.cs -- signing service with key management (EnvelopeKey.cs, EnvelopeKeyIdCalculator.cs, EnvelopeSignature.cs, EnvelopeSignatureResult.cs)
  • ProofChain Signing: __Libraries/StellaOps.Attestor.ProofChain/Signing/ -- ProofChainSigner.cs (with .Verification), IProofChainSigner.cs, DsseEnvelope.cs, DsseSignature.cs, SignatureVerificationResult.cs, SigningKeyProfile.cs
  • Core Signing: StellaOps.Attestor.Core/Signing/DsseSigningService.cs, IAttestationSigningService.cs -- core DSSE signing
  • Attestation Library: src/Attestor/StellaOps.Attestation/ -- DsseHelper.cs, DsseVerifier.cs, DsseEnvelopeExtensions.cs
  • Tests: StellaOps.Attestor.Envelope/__Tests/DsseEnvelopeSerializerTests.cs, EnvelopeSignatureServiceTests.cs, StellaOps.Attestation.Tests/DsseHelperTests.cs, DsseVerifierTests.cs

E2E Test Plan

  • Create a DSSE envelope with a JSON payload via EnvelopeSignatureService, sign it, and verify the envelope contains the signature
  • Serialize the envelope via DsseEnvelopeSerializer and deserialize it, verifying round-trip fidelity
  • Verify the PAE (Pre-Authentication Encoding) matches the DSSE spec: DSSEv1 <payloadType.length> <payloadType> <payload.length> <payload>
  • Sign an envelope via ProofChainSigner and verify via ProofChainSigner.Verification
  • Sign an envelope via DsseSigningService in Core and verify via DsseVerifier
  • Tamper with the payload after signing and verify signature verification fails
  • Create an envelope with detached payload reference and verify the reference is correctly maintained
  • Sign with multiple keys and verify each signature is independently verifiable

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001