CS2 — Software Release ChainCS2 — Software Release Chain
Setting. A CI/CD pipeline signs OCI images and wants offline-verifiable release lineage.
Design
Dual-sign each artifact (Cosign + EP); model build/test/package as EPs with transformation receipts; include Rekor IDs in EP.refs; anchors at every successful pipeline stage; weekly BTC archival for LTS.
Policy Profile
CFS‑Dual at GA; PB‑Strict bundles; OKB required for org key; PQ‑hybrid by policy date.
Workflow
- Developer push → CI build → EP for build artifacts → test receipts → package EP → release EP with anchors → publish OCI + EP sidecar.
Evidence & Verification
Offline verifiers check Cosign chain and EP independently; CFS must pass predicates; in‑toto link equivalence is ensured by invariants (commit hash, compiler version).
Cost & Operations
Batch per hour; ETH low-latency finality; BTC weekly archival; watchers operated by separate teams.
Outcomes
- Auditable release chain; independence from online transparency logs in air‑gapped audits.
Risks & Mitigations
- Key loss → mitigated by Eon lifecycle with KCS/KRS; supply-chain injection → invariants and witness cosign at release.
KPIs
- 100% released artifacts with EP; error budget ≤ 0.1%; mean verification time ≤ 80 ms offline.