-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support working with SLSA statements (without wrapping) #3641
Comments
Let's formalize this a bit. The most important aspect hereby is to clearly define the interface between the application which generates the SLSA statements and the signing / verification. Use-Case:
Proposed solution (signing):
Proposed solution (verification):
Alternative implementation:
Closing words: It would be great if someone more familiar with the SLSA / in-toto attestations could have a look at the ambiguities in the spec (mentioned above). Maybe that's just due to my imprecise reading of the spec, but if it is really imprecise or unclear, we should improve the spec as well. Anyways, I'm happy to hear feedback. |
The SLSA attestation model [1] defines a "statement" as an in-toto attestation, e.g. as "https://in-toto.io/Statement/v1" [2]. This statement contains both the predicate (e.g. "provenance" / "cyclonedx") as well as the "subject", that defines for which files the predicate holds. It would be great, if the cosign tool could directly work with these json documents instead and just add the DSSEv1 envelope (+key handling, rekor uploading,...).
The current version of cosign only allows to work with raw predicates (
--predicate
), but these are wrapped into ahttps://cosign.sigstore.dev/attestation/v1
. The output then contains the original predicate inPredicate.Data
, which hides it from tooling that directly works on the predicates.Another alternative would be to split the cosign workflow into the certificate fetching part and the upload to rekor part. Then, the creation of the DSSEv1 (which is rather trivial) could be done by other tooling.
The text was updated successfully, but these errors were encountered: