stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/per-layer-dsse-attestations.md

2.3 KiB
Raw Blame History

Per-Layer DSSE Attestations

Module

Attestor

Status

IMPLEMENTED

Description

Layer-specific DSSE attestations with batch signing for efficiency, generating individual attestations per container image layer linked to layer-specific SBOM subjects.

Implementation Details

  • DSSE Envelope Signing: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs (with .Verification) -- signs per-layer attestations into DSSE envelopes. Supports batch signing for multi-layer images.
  • DSSE Envelope: Signing/DsseEnvelope.cs -- envelope model with payload, payloadType, and signatures array.
  • DSSE Signature: Signing/DsseSignature.cs -- individual signature within an envelope.
  • Statement Builder: Builders/StatementBuilder.cs (with .Extended) -- builds in-toto statements with layer-specific subjects (layer digest as subject).
  • Proof Subject: Builders/ProofSubject.cs -- subject model with name (layer digest) and digest map.
  • Attestation Bundler: __Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs -- bundles per-layer attestations into a single container-level bundle.
  • OCI Attachment: __Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs -- attaches per-layer attestations to container image digests via OCI Referrers API.
  • Signing Key Profile: Signing/SigningKeyProfile.cs -- key profile used for signing (supports per-layer key selection).
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/DsseSigningTests.cs

E2E Test Plan

  • Create per-layer in-toto statements for a 3-layer container image with layer digests as subjects and sign each via ProofChainSigner
  • Verify each per-layer DSSE envelope has the correct layer digest in the subject
  • Batch-sign all 3 layer attestations and verify all envelopes are produced efficiently
  • Bundle per-layer attestations into a container-level bundle via AttestationBundler and verify the bundle references all layers
  • Attach per-layer attestations to the container image via OrasAttestationAttacher and verify they are discoverable as referrers
  • Verify each per-layer attestation signature independently via ProofChainSigner.Verification
  • Create a per-layer attestation linking to a layer-specific SBOM and verify the SBOM subject reference