stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/monthly-bundle-rotation-and-re-signing.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.6 KiB
Raw Blame History

Monthly Bundle Rotation and Re-Signing

Module

Attestor

Status

VERIFIED

Description

The attestation and signing infrastructure exists but the specific monthly bundle re-signing workflow is a planned sprint task.

What's Implemented

  • DSSE Signing: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs (with .Verification) -- DSSE signing and verification.
  • Signing Key Profile: Signing/SigningKeyProfile.cs -- key profile with algorithm and key material.
  • Attestor Signing Key Registry: StellaOps.Attestor.Infrastructure/Signing/AttestorSigningKeyRegistry.cs -- multi-key registry.
  • Sigstore Bundle Builder: __Libraries/StellaOps.Attestor.Bundle/Builder/SigstoreBundleBuilder.cs -- builds Sigstore bundles.
  • Sigstore Bundle Verifier: Bundle/Verification/SigstoreBundleVerifier.cs -- verifies bundle integrity.
  • Sigstore Bundle Serializer: Bundle/Serialization/SigstoreBundleSerializer.cs -- serializes bundles.
  • Timestamping Service: __Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampService.cs -- timestamping for re-signing evidence.

What's Missing

  • Monthly rotation scheduler: No scheduled job that triggers bundle rotation on a monthly cadence.
  • Re-signing workflow: No workflow that takes existing bundles, verifies them with the old key, and re-signs with a new key.
  • Key rotation ceremony: No key rotation ceremony process (generate new key, sign transition attestation, update trust anchors).
  • Bundle version tracking: No mechanism to track bundle versions and maintain a history of re-signed bundles.
  • Re-signing attestation: No attestation type recording that a bundle was re-signed (old key ID, new key ID, rotation reason).
  • Automated trust anchor update: No automation to update trust anchors when keys rotate.

Implementation Plan

  • Create a BundleRotationJob scheduled monthly via Scheduler integration
  • Implement re-signing workflow (verify old -> sign with new -> update references)
  • Define a re-signing attestation predicate recording rotation metadata
  • Add key rotation ceremony process with multi-party approval
  • Implement bundle version tracking with rotation history
  • Automate trust anchor updates on key rotation
  • Add tests for rotation workflow, re-signing, and trust anchor updates

Related Documentation

  • Source: See feature catalog

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001