stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/dsse-in-toto-attestation-signing-and-verification.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.0 KiB
Raw Blame History

DSSE/In-Toto Attestation Signing and Verification

Module

Attestor

Status

VERIFIED

Description

Full DSSE envelope signing service supporting ECDSA P-256, Ed25519, and RSA-PSS. Includes in-toto predicate types for proof chains, SPDX3 build attestations, and verification workflows.

Implementation Details

  • Signing Service: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Signing/DsseSigningService.cs -- core DSSE signing with multi-algorithm support.
  • Key Management: Signing/FileKeyProvider.cs -- file-based key provider. IAttestationSigningService.cs -- signing interface. AttestationSignRequest.cs, AttestationSignResult.cs -- sign request/result.
  • Verification Report Signer: Signing/DsseVerificationReportSigner.cs, IVerificationReportSigner.cs -- signs verification reports.
  • In-Toto Statements: __Libraries/StellaOps.Attestor.ProofChain/Statements/InTotoStatement.cs -- base in-toto statement. Statement types: EvidenceStatement, ReasoningStatement, VexVerdictStatement, ProofSpineStatement, SbomLinkageStatement, VerdictReceiptStatement, ReachabilityWitnessStatement, AIExplanationStatement, etc.
  • Statement Builder: __Libraries/StellaOps.Attestor.ProofChain/Builders/StatementBuilder.cs (with .Extended) -- fluent builder for in-toto statements. IStatementBuilder.cs -- interface.
  • In-Toto Core: StellaOps.Attestor.Core/InToto/ -- InTotoLink.cs, InTotoLinkPredicate.cs, LinkBuilder.cs, LinkRecorder.cs, LayoutVerifier.cs, ArtifactDigests.cs -- in-toto link and layout verification.
  • SPDX3 Signing: __Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Signer.cs (with .SignAsync, .Verify, .SignBuildProfile, .Encoding).
  • Signing Infrastructure: StellaOps.Attestor.Infrastructure/Signing/AttestorSigningService.cs, AttestorSigningKeyRegistry.cs.
  • Tests: StellaOps.Attestor.Core.Tests/InToto/InTotoGoldenTests.cs, InTotoLinkTests.cs, LinkBuilderTests.cs, LayoutVerifierTests.cs, Signing/DssePreAuthenticationEncodingTests.cs, VerificationReportSignerTests.cs

E2E Test Plan

  • Sign an in-toto statement via DsseSigningService with ECDSA P-256 key and verify the signature
  • Sign with Ed25519 key and verify the signature
  • Build an in-toto statement via StatementBuilder with evidence predicate and verify statement structure
  • Create an in-toto link via LinkBuilder with materials and products, sign it, and verify
  • Verify a layout via LayoutVerifier with correct link chain
  • Sign an SPDX3 build attestation via DsseSpdx3Signer and verify
  • Sign a verification report via DsseVerificationReportSigner and verify the signed report
  • Run golden tests to verify signed attestation output matches known-good test vectors

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001