stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/graph-root-dsse-attestation-service.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.9 KiB
Raw Blame History

Graph Root DSSE Attestation Service

Module

Attestor

Status

VERIFIED

Description

Service for creating and verifying DSSE-wrapped in-toto attestations of Merkle graph roots. Supports multiple graph types (ResolvedExecutionGraph, ReachabilityGraph, DependencyGraph, ProofSpine, EvidenceGraph) with optional Rekor publication. Enables offline verification by comparing recomputed roots against attested values. Distinct from "Merkle Root Aggregation" and "Graph Revision IDs" which compute roots; this attests them as first-class DSSE-signed entities.

Implementation Details

  • Graph Root Attestor: src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/GraphRootAttestor.cs -- creates DSSE-signed in-toto attestations wrapping Merkle roots. Implements IGraphRootAttestor.cs.
  • Merkle Root Computer: Sha256MerkleRootComputer.cs -- SHA-256 Merkle root computation over sorted leaf hashes. Implements IMerkleRootComputer.cs.
  • Graph Root Predicate: Models/GraphRootPredicate.cs -- in-toto predicate containing root hash, graph type, leaf count, timestamp.
  • Attestation Request: Models/GraphRootAttestationRequest.cs -- specifies graph type, leaves, and signing options.
  • Attestation Result: Models/GraphRootResults.cs -- contains the signed DSSE envelope and computed root.
  • Graph Types: GraphType.cs -- enum: ResolvedExecutionGraph, ReachabilityGraph, DependencyGraph, ProofSpine, EvidenceGraph.
  • DSSE Signing: __Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs (with .Verification) -- signs and verifies DSSE envelopes.
  • Rekor Publication: StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs -- publishes signed attestations to Rekor transparency log.
  • DI Registration: GraphRootServiceCollectionExtensions.cs -- registers all graph root services.
  • Tests: __Tests/StellaOps.Attestor.GraphRoot.Tests/

E2E Test Plan

  • Create a GraphRootAttestationRequest for each supported GraphType and verify GraphRootAttestor produces valid DSSE envelopes
  • Verify the DSSE envelope contains a valid in-toto statement with predicate type matching the graph root schema
  • Verify the DSSE signature over the graph root attestation using ProofChainSigner.Verification
  • Recompute the Merkle root from the same leaves and verify it matches the root in the attested predicate (offline verification)
  • Submit a graph root attestation to Rekor via RekorSubmissionService and verify a log entry is created
  • Create attestations for two different graph types (e.g., ReachabilityGraph vs DependencyGraph) and verify they produce distinct predicates
  • Modify one leaf in the input set, recompute, and verify the attested root no longer matches (tamper detection)

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001