47168fec38
- Introduced a new VEX compact fixture for testing purposes. - Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests. - Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations. - Documented tasks related to the Mirror Creator. - Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs. - Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases. - Added tests for symbol ID normalization in the reachability scanner. - Enhanced console status service with comprehensive unit tests for connection handling and error recovery. - Included Cosign tool version 2.6.0 with checksums for various platforms.
68 lines
3.9 KiB
Bash
68 lines
3.9 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
# Allow CI to fall back to a deterministic test key when MIRROR_SIGN_KEY_B64 is unset,
|
|
# but forbid this on release/tag builds when REQUIRE_PROD_SIGNING=1.
|
|
# Throwaway dev key (Ed25519) generated 2025-11-23; matches the value documented in
|
|
# docs/modules/mirror/signing-runbook.md. Safe for non-production smoke only.
|
|
DEFAULT_TEST_KEY_B64="LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSURqb3pDRVdKVVFUdW1xZ2gyRmZXcVBaemlQbkdaSzRvOFZRTThGYkZCSEcKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo="
|
|
if [[ -z "${MIRROR_SIGN_KEY_B64:-}" ]]; then
|
|
if [[ "${REQUIRE_PROD_SIGNING:-0}" == "1" ]]; then
|
|
echo "[error] MIRROR_SIGN_KEY_B64 is required for production signing; refusing to use test key." >&2
|
|
exit 1
|
|
fi
|
|
echo "[warn] MIRROR_SIGN_KEY_B64 not set; using embedded test key (non-production) for CI signing" >&2
|
|
MIRROR_SIGN_KEY_B64="$DEFAULT_TEST_KEY_B64"
|
|
fi
|
|
ROOT=$(cd "$(dirname "$0")/../.." && pwd)
|
|
KEYDIR="$ROOT/out/mirror/thin/tuf/keys"
|
|
mkdir -p "$KEYDIR"
|
|
KEYFILE="$KEYDIR/ci-ed25519.pem"
|
|
printf "%s" "$MIRROR_SIGN_KEY_B64" | base64 -d > "$KEYFILE"
|
|
chmod 600 "$KEYFILE"
|
|
# Export public key for TUF keyid calculation
|
|
openssl pkey -in "$KEYFILE" -pubout -out "$KEYDIR/ci-ed25519.pub" >/dev/null 2>&1
|
|
STAGE=${STAGE:-$ROOT/out/mirror/thin/stage-v1}
|
|
CREATED=${CREATED:-$(date -u +%Y-%m-%dT%H:%M:%SZ)}
|
|
TENANT_SCOPE=${TENANT_SCOPE:-tenant-demo}
|
|
ENV_SCOPE=${ENV_SCOPE:-lab}
|
|
CHUNK_SIZE=${CHUNK_SIZE:-5242880}
|
|
CHECKPOINT_FRESHNESS=${CHECKPOINT_FRESHNESS:-86400}
|
|
OCI=${OCI:-1}
|
|
SIGN_KEY="$KEYFILE" STAGE="$STAGE" CREATED="$CREATED" TENANT_SCOPE="$TENANT_SCOPE" ENV_SCOPE="$ENV_SCOPE" CHUNK_SIZE="$CHUNK_SIZE" CHECKPOINT_FRESHNESS="$CHECKPOINT_FRESHNESS" OCI="$OCI" "$ROOT/src/Mirror/StellaOps.Mirror.Creator/make-thin-v1.sh"
|
|
|
|
# Emit milestone summary with hashes for downstream consumers
|
|
MANIFEST_PATH="$ROOT/out/mirror/thin/mirror-thin-v1.manifest.json"
|
|
TAR_PATH="$ROOT/out/mirror/thin/mirror-thin-v1.tar.gz"
|
|
DSSE_PATH="$ROOT/out/mirror/thin/mirror-thin-v1.manifest.dsse.json"
|
|
BUNDLE_PATH="$ROOT/out/mirror/thin/mirror-thin-v1.bundle.json"
|
|
BUNDLE_DSSE_PATH="$ROOT/out/mirror/thin/mirror-thin-v1.bundle.dsse.json"
|
|
TRANSPORT_PATH="$ROOT/out/mirror/thin/stage-v1/layers/transport-plan.json"
|
|
REKOR_POLICY_PATH="$ROOT/out/mirror/thin/stage-v1/layers/rekor-policy.json"
|
|
MIRROR_POLICY_PATH="$ROOT/out/mirror/thin/stage-v1/layers/mirror-policy.json"
|
|
OFFLINE_POLICY_PATH="$ROOT/out/mirror/thin/stage-v1/layers/offline-kit-policy.json"
|
|
SUMMARY_PATH="$ROOT/out/mirror/thin/milestone.json"
|
|
|
|
sha256() {
|
|
sha256sum "$1" | awk '{print $1}'
|
|
}
|
|
|
|
cat > "$SUMMARY_PATH" <<JSON
|
|
{
|
|
"created": "$CREATED",
|
|
"manifest": {"path": "$(basename "$MANIFEST_PATH")", "sha256": "$(sha256 "$MANIFEST_PATH")"},
|
|
"tarball": {"path": "$(basename "$TAR_PATH")", "sha256": "$(sha256 "$TAR_PATH")"},
|
|
"dsse": $( [[ -f "$DSSE_PATH" ]] && echo "{\"path\": \"$(basename "$DSSE_PATH")\", \"sha256\": \"$(sha256 "$DSSE_PATH")\"}" || echo "null" ),
|
|
"bundle": $( [[ -f "$BUNDLE_PATH" ]] && echo "{\"path\": \"$(basename "$BUNDLE_PATH")\", \"sha256\": \"$(sha256 "$BUNDLE_PATH")\"}" || echo "null" ),
|
|
"bundle_dsse": $( [[ -f "$BUNDLE_DSSE_PATH" ]] && echo "{\"path\": \"$(basename "$BUNDLE_DSSE_PATH")\", \"sha256\": \"$(sha256 "$BUNDLE_DSSE_PATH")\"}" || echo "null" ),
|
|
"time_anchor": $( [[ -n "${TIME_ANCHOR_FILE:-}" && -f "$TIME_ANCHOR_FILE" ]] && echo "{\"path\": \"$(basename "$TIME_ANCHOR_FILE")\", \"sha256\": \"$(sha256 "$TIME_ANCHOR_FILE")\"}" || echo "null" )
|
|
,"policies": {
|
|
"transport": {"path": "$(basename "$TRANSPORT_PATH")", "sha256": "$(sha256 "$TRANSPORT_PATH")"},
|
|
"rekor": {"path": "$(basename "$REKOR_POLICY_PATH")", "sha256": "$(sha256 "$REKOR_POLICY_PATH")"},
|
|
"mirror": {"path": "$(basename "$MIRROR_POLICY_PATH")", "sha256": "$(sha256 "$MIRROR_POLICY_PATH")"},
|
|
"offline": {"path": "$(basename "$OFFLINE_POLICY_PATH")", "sha256": "$(sha256 "$OFFLINE_POLICY_PATH")"}
|
|
}
|
|
}
|
|
JSON
|
|
|
|
echo "Milestone summary written to $SUMMARY_PATH"
|