Trust
Software Bill of Materials
InterimF-28 OTA pipeline + cosign ceremony pending operator gate (@OPERATOR-ACTION-1, -2)
Every Consigliere firmware build emits a CycloneDX v1.5 SBOM, signed with cosign and uploaded to R2://xpoose-trust/sbom/. Below is the verification recipe procurement officers can run against the signed artifact.
Interim placeholder
The first signed firmware ships once @OPERATOR-ACTION-1 (cosign notary) and @OPERATOR-ACTION-2 (3× YubiKey 5C FIPS) are resolved. Until then, this page documents the verification path. Auditors satisfied by the recipe + the cosign public key can put us on their AVL today; auditors who want the artifact can wait or request the unsigned interim build.
Latest signed SBOM
Will be linked here once F-28 publishes the first build.
Format: CycloneDX v1.5 JSON. Signed with cosign per ADR-017.
Cosign public key
Pinned in the integrity manifest; rotated annually under the cosign ceremony runbook.
SHA-256 of the key file is published in the integrity manifest at /security/integrity-manifest.json.
Verification recipe
Run this from any machine with cosign installed. The command exits non-zero if the signature doesn’t verify or the certificate identity doesn’t match.
cosign verify-blob \
--certificate xpoose-consigliere.crt \
--signature xpoose-consigliere.cdx.json.sig \
--certificate-identity-regexp 'xpoose\.com$' \
xpoose-consigliere.cdx.jsonRefresh cadence
- SBOMs older than 90 daysare treated as unsupported — we re-publish on every firmware build, plus an out-of-band rebuild on any dependency CVE rated ≥ HIGH.
- Cosign keys rotate annually under the ceremony runbook (ADR-017). The integrity manifest pins the active key fingerprint.
- Drift on the rendered HTML vs the published SBOM fires a P2 alert via the daily
trust.integrity-checkcron once F-28 is live.