git.stella-ops.org/docs/modules/signer/README.md

StellaOps Signer

Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports.

Latest updates (Sprint 0186/0401 · 2025-11-26)

• CryptoDsseSigner implemented with ICryptoProviderRegistry integration (SIGN-CORE-186-004), enabling keyless + KMS signing modes with cosign-compatible DSSE output.
• SignerStatementBuilder refactored to support StellaOps predicate types (stella.ops/promotion@v1, stella.ops/sbom@v1, stella.ops/vex@v1, etc.) with CanonicalJson canonicalization (SIGN-CORE-186-005).
• PredicateTypes catalog extended with stella.ops/vexDecision@v1 and stella.ops/graph@v1 for reachability evidence chain (SIGN-VEX-401-018).
• Helper methods added: IsVexRelatedType, IsReachabilityRelatedType, GetAllowedPredicateTypes, IsAllowedPredicateType for predicate type validation.
• Integration tests upgraded with real crypto abstraction, fixture predicates (promotion, SBOM, VEX, replay, policy, evidence, graph), and deterministic test data (SIGN-TEST-186-006). All 102 Signer tests passing.

Previous updates (Sprint 11 · 2025-10-21)

• /sign/dsse pipeline landed with Authority OpTok + PoE enforcement, Fulcio/KMS signing modes, and deterministic DSSE bundles ready for Attestor logging.
• /verify/referrers endpoint exposes release-integrity checks against scanner OCI referrers so callers can confirm digests before requesting signatures.
• Plan quota enforcement (QPS/concurrency/artifact size) and audit/metrics wiring now align with the Sprint 11 signing-chain release.

Responsibilities

• Enforce Proof-of-Entitlement and plan quotas before signing artifacts.
• Support keyless (Fulcio) and keyful (KMS/HSM) signing backends.
• Verify scanner release integrity via OCI referrers prior to issuing signatures.
• Emit DSSE payloads consumed by Attestor/Export Center and maintain comprehensive audit trails.

Key components

• StellaOps.Signer service host with SignerPipeline orchestrating the signing flow.
• CryptoDsseSigner for ES256 signature generation via ICryptoProviderRegistry.
• SignerStatementBuilder for in-toto statement creation with PredicateTypes catalog.
• DefaultSigningKeyResolver for tenant-aware key resolution (keyless/KMS modes).
• Crypto providers under StellaOps.Cryptography.*.

Integrations & dependencies

• Authority for OpTok + PoE validation.
• Licensing Service for entitlement introspection.
• OCI registries (Referrers API) for scanner release verification.
• Attestor for transparency logging and Rekor ingestion.
• Export Center and CLI for artifact signing flows.

API quick reference

• POST /api/v1/signer/sign/dsse — validate OpTok/PoE, enforce quotas, return DSSE bundle with signing identity metadata.
• GET /api/v1/signer/verify/referrers — report scanner release signer and trust verdict for a supplied image digest.

Operational notes

• Key management via Authority/DevOps runbooks.
• Metrics for signing latency/throttle states.
• Offline kit integration for signature verification.

Backlog references

• Sprint 0186: docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md (SIGN-CORE-186-004, SIGN-CORE-186-005, SIGN-TEST-186-006 DONE; SIGN-REPLAY-186-003 blocked on upstream).
• Sprint 0401: docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md (SIGN-VEX-401-018 DONE; AUTH-REACH-401-005 TODO).
• SIG docs/tasks in ../../TASKS.md (e.g., DOCS-SIG-26-006).

Epic alignment

• Epic 10 – Export Center: provide signing pipelines, cosign interoperability, and provenance manifests for bundle promotion.
• Epic 19 – Attestor Console: supply DSSE payloads and Proof-of-Entitlement enforcement feeding attestation workflows described in docs/modules/attestor/.