stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/release-evidence-pack.md

2.6 KiB
Raw Blame History

Release Evidence Pack (Audit Pack)

Module

Attestor

Status

IMPLEMENTED

Description

Portable, verifiable audit bundles with manifest (digests of every included file), SBOM inputs, VEX docs, policy bundles, exceptions, findings, verdict, and explanation. Supports offline verification and tamper detection.

Implementation Details

  • Release Evidence Pack Builder: src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs -- builds complete release evidence packs containing all attestation artifacts.
  • Release Evidence Pack Manifest: Models/ReleaseEvidencePackManifest.cs -- manifest listing all included files with their SHA-256 digests for tamper detection.
  • Release Evidence Pack Serializer: ReleaseEvidencePackSerializer.cs -- serializes evidence packs to a portable format (ZIP/tar with manifest).
  • Verification Replay Log: Models/VerificationReplayLog.cs -- log of verification steps for replay and audit.
  • Verification Replay Log Builder: Services/VerificationReplayLogBuilder.cs -- builds verification replay logs from pipeline execution.
  • Replay Log Serializer Context: Services/ReplayLogSerializerContext.cs -- serializer context for replay logs.
  • Templates: Templates/VERIFY.md.template, verify-unix.template, verify.ps1.template -- verification instruction templates included in the pack for offline verification.
  • Attestation Bundler: __Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs -- bundles individual attestations into the evidence pack.
  • Sigstore Bundle Verifier: __Libraries/StellaOps.Attestor.Bundle/SigstoreBundleVerifier.cs -- verifies Sigstore bundles within the evidence pack.
  • Tests: __Tests/StellaOps.Attestor.EvidencePack.Tests/

E2E Test Plan

  • Build a release evidence pack via ReleaseEvidencePackBuilder with SBOM, VEX, policy bundle, findings, and verdict; verify all artifacts are included
  • Verify the ReleaseEvidencePackManifest lists all files with correct SHA-256 digests
  • Serialize the evidence pack via ReleaseEvidencePackSerializer and verify the output is a portable archive
  • Tamper with one file in the archive and verify manifest digest verification detects the tampering
  • Build a VerificationReplayLog and verify it captures all verification steps in order
  • Verify the evidence pack includes verification instruction templates (VERIFY.md, verify-unix, verify.ps1) for offline verification
  • Import a previously exported evidence pack and verify all attestation signatures are valid
  • Verify SigstoreBundleVerifier validates Sigstore bundles within the evidence pack