stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/dsse-in-toto-event-spine.md

2.2 KiB
Raw Blame History

DSSE + in-toto Event Spine (Attestation Pipeline)

Module

Attestor

Status

IMPLEMENTED

Description

DSSE envelope signing and verification across the pipeline. Scanner emits policy decision and human approval attestations; Attestor ProofChain provides DSSE envelope/signature models and verification.

Implementation Details

  • ProofSpine System: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Assembly/ -- IProofSpineAssembler.cs, ProofSpineRequest.cs, ProofSpineResult.cs, ProofSpineSubject.cs, SpineVerificationCheck.cs, SpineVerificationResult.cs -- assembles proof spines from multiple attestation events.
  • Proof Spine Statement: Statements/ProofSpineStatement.cs -- in-toto statement for proof spine. Predicates/ProofSpinePredicate.cs -- spine predicate model.
  • Merkle Tree Assembly: Assembly/MerkleTree.cs -- Merkle tree for spine root computation.
  • DSSE Signing: Signing/ProofChainSigner.cs (with .Verification) signs spine attestations.
  • Policy Decision Predicate: Predicates/PolicyDecisionPredicate.cs, PolicyDecision.cs -- policy decision attestation.
  • Pipeline: Pipeline/IProofChainPipeline.cs, ProofChainRequest.cs, ProofChainResult.cs, PipelineSubject.cs, RekorEntry.cs -- proof chain pipeline processing.
  • Statement Builder: Builders/StatementBuilder.cs (with .Extended) -- builds in-toto statements for pipeline events.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ProofSpineAssemblyIntegrationTests.cs

E2E Test Plan

  • Assemble a proof spine from 5 attestation events via IProofSpineAssembler and verify the spine root hash aggregates all events
  • Sign the proof spine via ProofChainSigner and verify the DSSE envelope
  • Verify the spine via SpineVerificationCheck and confirm all constituent attestations are valid
  • Create a PolicyDecisionPredicate for a pass/fail decision and include it in the spine
  • Process a ProofChainRequest through the pipeline and verify a ProofChainResult is produced with Rekor entry
  • Verify the Merkle tree root of the spine matches recomputation from individual event hashes
  • Build in-toto statements for each pipeline event via StatementBuilder and verify correct predicate types