stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/machine-verifiable-dsse-verdict-receipts.md

2.9 KiB
Raw Blame History

Machine-Verifiable DSSE Verdict Receipts

Module

Attestor

Status

IMPLEMENTED

Description

Verification receipts with checks, context, and verdict receipt payloads are fully modeled and implemented.

Implementation Details

  • Verification Receipt: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs -- complete verification receipt containing checks, context, overall result, and timestamp. IReceiptGenerator.cs -- interface for generating receipts.
  • Verification Check: Receipts/VerificationCheck.cs -- individual check within a receipt (e.g., signature valid, predicate schema valid, Merkle proof valid) with pass/fail status and message.
  • Verification Context: Receipts/VerificationContext.cs -- context for the verification (subject ID, predicate type, verifier identity, timestamp).
  • Verification Result: Receipts/VerificationResult.cs -- aggregate result enum (Passed, Failed, Inconclusive).
  • Verdict Receipt Payload: Statements/VerdictReceiptPayload.cs -- in-toto predicate payload for verdict receipts containing decision, inputs, and outputs.
  • Verdict Receipt Statement: Statements/VerdictReceiptStatement.cs -- in-toto statement wrapping the verdict receipt payload.
  • Verdict Decision: Statements/VerdictDecision.cs -- the decision (Pass/Fail/Warn) within the receipt.
  • Verdict Inputs: Statements/VerdictInputs.cs -- inputs that were considered for the verdict.
  • Verdict Outputs: Statements/VerdictOutputs.cs -- outputs produced by the verdict (policy violations, exceptions applied, etc.).
  • DSSE Signing: Signing/ProofChainSigner.cs (with .Verification) -- signs verdict receipts into DSSE envelopes for machine verification.
  • Signature Verification Result: Signing/SignatureVerificationResult.cs -- result of DSSE signature verification.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/VerificationReceiptTests.cs

E2E Test Plan

  • Generate a VerificationReceipt via IReceiptGenerator with multiple VerificationCheck entries and verify all checks are present
  • Create a receipt with all checks passing and verify VerificationResult is Passed
  • Create a receipt with one failing check and verify VerificationResult is Failed
  • Build a VerdictReceiptStatement with VerdictDecision.Pass, sign it via ProofChainSigner, and verify the DSSE envelope is well-formed
  • Verify the signed verdict receipt DSSE envelope via ProofChainSigner.Verification and confirm SignatureVerificationResult passes
  • Tamper with the verdict receipt payload after signing and verify signature verification fails
  • Create a VerdictReceiptPayload with VerdictInputs (scan results, policy rules) and VerdictOutputs (violations, exceptions) and verify all fields are captured
  • Verify VerificationContext captures subject ID, predicate type, and verifier identity correctly