ROADMAP.md
1 # Cerro Torre Roadmap 2 3 ## Philosophy 4 5 Cerro Torre is "**ship containers safely**" — the distribution complement to Svalinn's "run containers nicely". 6 7 A user should be able to: 8 1. **Wrap** an OCI image into a verifiable bundle (`.ctp`) 9 2. **Move** that bundle around (offline, airgapped, mirrors) 10 3. **Verify** it deterministically 11 4. **Install/run** it with minimal ceremony 12 13 --- 14 15 ## Current Status: Pre-Alpha 16 17 The project structure and architecture are defined. Core modules exist as stubs with interfaces specified but implementations incomplete. 18 19 --- 20 21 ## MVP v0.1 — "First Ascent" 22 23 **Goal:** Ergonomic CLI for pack/verify/explain with great errors 24 25 ### Core Commands (Must Have) 26 27 - [ ] **ct pack** — Create verifiable bundle from OCI image 28 ```bash 29 ct pack docker.io/library/nginx:1.26 -o nginx.ctp 30 ct pack oci:./local-image -o local.ctp 31 ``` 32 - Read OCI image (via skopeo for MVP) 33 - Generate canonical manifest.toml 34 - Generate summary.json with all digests 35 - Sign with specified key (or default) 36 37 - [ ] **ct verify** — Verify bundle with specific error codes 38 ```bash 39 ct verify nginx.ctp 40 ct verify nginx.ctp --policy strict.json 41 ``` 42 - Exit 0: valid 43 - Exit 1: hash mismatch 44 - Exit 2: signature invalid 45 - Exit 3: key not trusted 46 - Exit 4: policy rejection 47 - Exit 10: malformed bundle 48 49 - [ ] **ct explain** — Human-readable verification chain 50 ```bash 51 ct explain nginx.ctp 52 ct explain nginx.ctp --signers 53 ct explain nginx.ctp --layers 54 ``` 55 - Package info, provenance, content hashes 56 - Signatures with fingerprints 57 - Trust chain status 58 59 ### Key Management (Must Have) 60 61 - [ ] **ct keygen** — Generate signing keypair 62 ```bash 63 ct keygen --id my-signing-key 64 ct keygen --suite CT-SIG-02 # hybrid post-quantum 65 ``` 66 - Ed25519 for MVP (CT-SIG-01) 67 - Argon2id-encrypted private key 68 - Human-readable fingerprint 69 70 - [ ] **ct key** — Key management subcommands 71 ```bash 72 ct key list 73 ct key import upstream.pub 74 ct key export my-key --public 75 ct key default my-key 76 ``` 77 78 ### Trust Policy (Must Have) 79 80 - [ ] **policy.json** — Trust policy file 81 - Allowed signers (glob patterns) 82 - Allowed registries 83 - Allowed crypto suites 84 - `ct verify --policy <file>` enforcement 85 86 ### Quality Attributes (Must Have) 87 88 - [ ] **Great error messages** 89 - Specific: exactly what failed 90 - Actionable: what to do about it 91 - Contextual: bundle name, key id, etc. 92 93 - [ ] **Deterministic canonicalization** 94 - Same inputs → byte-identical output 95 - Conformance test suite 96 - Per spec/manifest-canonicalization.adoc 97 98 ### Should Have 99 100 - [ ] **SHA-256 + Ed25519 via libsodium** 101 - Battle-tested implementation 102 - SPARK proofs deferred to v0.3 103 104 - [ ] **Configuration file** 105 - ~/.config/cerro/config.toml 106 - Default policy, default key, output format 107 108 ### Nice to Have 109 110 - [ ] **--json output mode** for all commands 111 - [ ] **Colored terminal output** with --color=auto 112 113 --- 114 115 ## v0.2 — "Base Camp" 116 117 **Goal:** Distribution, runtime integration, and adoption ergonomics 118 119 ### Distribution Commands 120 121 - [ ] **ct fetch** — Pull bundle from registry or create from image 122 ```bash 123 ct fetch cerro-registry.io/nginx:1.26 -o nginx.ctp 124 ct fetch docker.io/library/nginx:1.26 -o nginx.ctp --create 125 ``` 126 127 - [ ] **ct push** — Publish bundle to registry/mirror 128 ```bash 129 ct push nginx.ctp cerro-registry.io/nginx:1.26 130 ct push nginx.ctp s3://my-bucket/packages/ 131 ct push nginx.ctp git://github.com/org/manifests 132 ``` 133 134 - [ ] **ct export / ct import** — Offline media support 135 ```bash 136 ct export nginx.ctp redis.ctp -o offline-bundle.tar 137 ct export --manifest packages.txt -o airgap.tar --include-keys 138 ct import airgap.tar --verify --policy strict.json 139 ``` 140 141 ### Runtime Integration 142 143 - [ ] **ct run** — Delegate to configured runtime (including Svalinn) 144 ```bash 145 ct run nginx.ctp # Uses default runtime 146 ct run nginx.ctp --runtime=svalinn # Explicit Svalinn 147 ct run nginx.ctp --runtime=podman # Explicit podman 148 ct run nginx.ctp -- -p 8080:80 # Pass args to runtime 149 ``` 150 - Verify before run (unless --no-verify) 151 - Configure default runtime in config.toml 152 - Svalinn integration per spec/svalinn-integration.adoc 153 154 - [ ] **ct unpack** — Extract OCI layout for external tooling 155 ```bash 156 ct unpack nginx.ctp -o ./nginx-oci/ # OCI layout on disk 157 ct unpack nginx.ctp --format=docker # Docker save format 158 ``` 159 - Enables use with nerdctl, podman, docker, buildah 160 - Preserves all attestations alongside 161 162 ### Diagnostics 163 164 - [ ] **ct doctor** — Check distribution pipeline health 165 ```bash 166 ct doctor # Full check 167 ct doctor --quick # Just essentials 168 ``` 169 - Crypto backend availability (libsodium, liboqs) 170 - Registry access and authentication 171 - Local content store integrity 172 - Clock skew / timestamp sanity 173 - Key expiration warnings 174 - Policy file validity 175 176 ### Key Rotation & Revocation 177 178 - [ ] **ct re-sign** — Re-sign bundle with new key (same content) 179 ```bash 180 ct re-sign nginx.ctp -k new-key-2026 181 ct re-sign nginx.ctp --add-signature # Keep old, add new 182 ``` 183 - Preserves content hashes 184 - Supports key rotation without re-packing 185 - Can add signatures (multi-signer) 186 187 - [ ] **Policy deny-lists and revocation** 188 ```json 189 { 190 "signers": { 191 "denied": [ 192 { "key_id": "compromised-key", "after": "2025-06-01" } 193 ] 194 }, 195 "pin": { 196 "nginx.ctp": { "digest": "sha256:abc...", "signers": ["trusted-key"] } 197 } 198 } 199 ``` 200 - Deny signer from specific date 201 - Pin artifact to digest + signer (not just tag) 202 - Threshold rules (require N of M signers) 203 204 ### Bundle Comparison 205 206 - [ ] **ct diff** — Human-readable diff between bundles 207 ```bash 208 ct diff old.ctp new.ctp 209 ct diff old.ctp new.ctp --layers # Just layer changes 210 ct diff old.ctp new.ctp --signers # Just signer changes 211 ``` 212 Output: 213 ``` 214 Comparing: nginx-1.25.ctp → nginx-1.26.ctp 215 216 Layers: 217 ~ sha256:abc... → sha256:def... (base layer changed) 218 + sha256:123... (new layer added) 219 220 Config: 221 ~ ENV["NGINX_VERSION"] = "1.25" → "1.26" 222 223 Signatures: 224 ✓ Both signed by: cerro-official-2025 225 + New signature: nginx-maintainer-2025 226 227 Attestations: 228 ✓ SBOM present in both 229 ~ Provenance builder changed: v1.0 → v1.1 230 ``` 231 - Huge QoL for trust debugging 232 - Shows what actually changed between versions 233 234 ### Index & Search 235 236 - [ ] **ct index** — Build searchable index of bundles 237 ```bash 238 ct index ./bundles/ # Index a directory 239 ct index --update # Update existing index 240 ``` 241 242 - [ ] **ct search** — Search bundles by metadata 243 ```bash 244 ct search nginx # By name 245 ct search --signer cerro-* # By signer 246 ct search --has-sbom # Has SBOM attestation 247 ct search --digest sha256:abc # By source image digest 248 ct search --after 2025-01-01 # By date 249 ``` 250 Searchable fields: 251 - Name, version, description 252 - Source image digest 253 - Signer key IDs and fingerprints 254 - SBOM presence, license info 255 - Build provenance (builder, date) 256 - Base image lineage 257 258 ### Post-Quantum Signatures 259 260 - [ ] **ML-DSA-65 (Dilithium)** via liboqs bindings 261 - [ ] **CT-SIG-02** — Hybrid Ed25519 + ML-DSA-87 262 - [ ] **CT-SIG-03** — Post-quantum only (ML-DSA-87) 263 - [ ] Signature format already algorithm-agile from v0.1 264 265 ### Policy Helpers 266 267 - [ ] **ct policy init** — Create starter policy interactively 268 - [ ] **ct policy add-signer** — Trust a signer 269 - [ ] **ct policy add-registry** — Allow a registry 270 - [ ] **ct policy deny** — Add to deny-list 271 272 --- 273 274 ## v0.3 — "The Wall" 275 276 **Goal:** Attestations + ecosystem integration 277 278 ### Attestations 279 280 - [ ] **SBOM generation** — SPDX 2.3 JSON in bundle 281 - [ ] **SLSA provenance** — in-toto attestation format 282 - [ ] **Transparency log** — Log submission + proof inclusion 283 - [ ] **Threshold signatures** — FROST-Ed25519 for governance 284 285 ### Ecosystem 286 287 - [ ] **SELinux policy** — CIL policy generation 288 - [ ] **OSTree export** — Compatible with rpm-ostree 289 - [ ] **Svalinn deep integration** — Shared trust store, attestation passing 290 291 ### Quality 292 293 - [ ] **SPARK proofs** for crypto module 294 - [ ] **Security audit** of core code 295 296 --- 297 298 ## v0.4 — "The Summit" 299 300 **Goal:** Federated operation, build verification 301 302 ### Build Flow (Separate from Pack) 303 304 - [ ] **Debian importer** — Import from Debian source packages 305 ```bash 306 ct build debian:nginx/1.26.0-1 -o nginx.ctp 307 ``` 308 - [ ] **Fedora importer** — Import from SRPMs 309 - [ ] **Alpine importer** — Import from APKBUILDs 310 311 ### Federation 312 313 - [ ] **Federated transparency log** — Multiple witnesses 314 - [ ] **Multi-builder verification** — Consensus on builds 315 - [ ] **Mirror support** — Delta synchronization 316 317 --- 318 319 ## Future / Wishlist 320 321 - **Nix Importer** — Import from nixpkgs 322 - **Bootable Images** — Full bootable system images 323 - **Secure Boot Integration** — Sign boot components 324 - **Hardware Attestation** — TPM-based attestation 325 - **Mobile Verification** — Verify on Android/iOS 326 327 --- 328 329 ## Non-Goals 330 331 - **GUI Application** — CLI-first, web UI for viewing only 332 - **Windows Support** — Linux containers and immutable Linux only 333 - **Binary Package Management** — We verify, distributions distribute 334 - **Build execution in v0.1** — Pack existing images first, build-from-source later 335 336 --- 337 338 ## Success Metrics 339 340 ### MVP v0.1 Success 341 - [ ] `ct pack` + `ct verify` + `ct explain` work end-to-end 342 - [ ] Error messages are specific and actionable 343 - [ ] Key generation and verification work 344 - [ ] Canonicalization conformance tests pass 345 - [ ] Documentation complete enough for others to try 346 347 ### v0.2 Success 348 - [ ] `ct run` works with Svalinn and podman 349 - [ ] `ct doctor` catches common setup issues 350 - [ ] `ct diff` helps debug trust issues 351 - [ ] Offline export/import works for airgapped environments 352 - [ ] Post-quantum signatures work (CT-SIG-02) 353 - [ ] At least one external contributor 354 355 ### v0.3 Success 356 - [ ] SBOM + provenance in every bundle 357 - [ ] Used in at least one production deployment 358 - [ ] Security audit complete 359 360 ### v0.4 Success 361 - [ ] Multiple independent operators 362 - [ ] Transparency log with >2 witnesses 363 - [ ] Debian/Fedora import working