Follows the Flexo live-test reconciliation. Today
tests/integration/sign/ only checks that the SHACL profile gates
fire AND that the optional-dependency lazy-import path raises
OptionalDependencyMissing correctly. Actual verification is NOT
exercised end-to-end.
What each live test would prove:
Cosign / OCI (oracle/signing/cosign.py)
- A real
cosign sign bundle (transparency log entry + Fulcio cert)
on a real OCI image in a real registry verifies through
verify_cosign_bundle
- Needs: target OCI registry (proposed:
ghcr.io/dynamicalsystemsgroup/flexo-rtm-test — read-only public,
CI-only push) and cosign sign credentials in CI
DSSE (oracle/signing/dsse.py)
- A DSSE envelope produced by the official
in-toto-attestation CLI
verifies through verify_dsse_envelope
- Needs:
in-toto CLI installed in CI, or vendor a fixture set
in examples/dsse/ produced by upstream against a known key
Rekor (oracle/signing/rekor.py) — decision-free
verify_rekor_inclusion_proof accepts a real proof from
rekor.sigstore.dev/api/v1/log/entries/{uuid} (no auth, no
decision needed; can write inline)
VC-DI cross-impl (oracle/signing/vc_di.py, eddsa-rdfc-2022) — decision-free
- A proof produced by another VC-DI implementation (Digital Bazaar's
@digitalbazaar/data-integrity) against a fixed dataset + key
verifies in our vc_di.verify
- Test point: W3C VC Data Integrity test vectors at
https://github.com/w3c/vc-data-integrity/tree/main/test-vectors
(no decision needed)
Rekor and VC-DI cross-impl can be written today. Cosign and DSSE
need decisions:
Decision needed:
- OK to set up
ghcr.io/dynamicalsystemsgroup/flexo-rtm-test for
Cosign live test? (Read-only public; CI-only push.)
- For DSSE: install
in-toto CLI as a CI dep, or vendor upstream
fixtures into examples/dsse/ for offline verification?
Follows the Flexo live-test reconciliation. Today
tests/integration/sign/only checks that the SHACL profile gatesfire AND that the optional-dependency lazy-import path raises
OptionalDependencyMissingcorrectly. Actual verification is NOTexercised end-to-end.
What each live test would prove:
Cosign / OCI (
oracle/signing/cosign.py)cosign signbundle (transparency log entry + Fulcio cert)on a real OCI image in a real registry verifies through
verify_cosign_bundleghcr.io/dynamicalsystemsgroup/flexo-rtm-test— read-only public,CI-only push) and
cosign signcredentials in CIDSSE (
oracle/signing/dsse.py)in-toto-attestationCLIverifies through
verify_dsse_envelopein-totoCLI installed in CI, or vendor a fixture setin
examples/dsse/produced by upstream against a known keyRekor (
oracle/signing/rekor.py) — decision-freeverify_rekor_inclusion_proofaccepts a real proof fromrekor.sigstore.dev/api/v1/log/entries/{uuid}(no auth, nodecision needed; can write inline)
VC-DI cross-impl (
oracle/signing/vc_di.py, eddsa-rdfc-2022) — decision-free@digitalbazaar/data-integrity) against a fixed dataset + keyverifies in our
vc_di.verifyhttps://github.com/w3c/vc-data-integrity/tree/main/test-vectors(no decision needed)
Rekor and VC-DI cross-impl can be written today. Cosign and DSSE
need decisions:
Decision needed:
ghcr.io/dynamicalsystemsgroup/flexo-rtm-testforCosign live test? (Read-only public; CI-only push.)
in-totoCLI as a CI dep, or vendor upstreamfixtures into
examples/dsse/for offline verification?