stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/oci-attestation-attachment.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.5 KiB
Raw Blame History

OCI Attestation Attachment (Referrers API, ORAS, Cosign Compatible)

Module

Attestor

Status

VERIFIED

Description

OCI Distribution Spec 1.1 compliant attestation attacher using ORAS with referrers API support. Attaches verdict attestations, delta verdicts, evidence bundles, and SBOMs to container image digests. Supports cosign compatibility, attach/fetch/list operations, and OCI registry client for discovery.

Implementation Details

  • ORAS Attestation Attacher: src/Attestor/__Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs -- attaches DSSE-signed attestations to OCI image digests using ORAS and the OCI Referrers API. Implements IOciAttestationAttacher.cs.
  • OCI Registry Client: Services/IOciRegistryClient.cs -- abstraction for OCI registry operations (push, pull, list referrers, discover).
  • SBOM OCI Publisher: Services/SbomOciPublisher.cs -- publishes SBOMs as OCI artifacts attached to image digests. Implements ISbomOciPublisher.cs.
  • Trust Verdict OCI Attacher: __Libraries/StellaOps.Attestor.TrustVerdict/ -- attaches trust verdict attestations to OCI images as referrer artifacts.
  • Delta Verdict Predicates: __Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs -- delta verdict predicate model for OCI attachment.
  • DSSE Envelope: __Libraries/StellaOps.Attestor.ProofChain/Signing/DsseEnvelope.cs -- envelope format for OCI-attached attestations.
  • Tests: __Tests/StellaOps.Attestor.Oci.Tests/

E2E Test Plan

  • Attach a DSSE-signed verdict attestation to an OCI image digest via OrasAttestationAttacher and verify it appears in the referrers list
  • Publish an SBOM via SbomOciPublisher as an OCI artifact and verify it is discoverable via the Referrers API
  • List all attestation referrers for an image digest and verify correct artifact types are returned
  • Fetch a previously attached attestation by digest and verify the DSSE envelope is intact
  • Attach multiple attestation types (verdict, delta verdict, evidence bundle, SBOM) to the same image and verify all are listed
  • Verify cosign compatibility: attach an attestation and verify it can be discovered using cosign-style media types
  • Verify IOciRegistryClient handles authentication and registry errors gracefully

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001