diff --git a/pom.xml b/pom.xml
index 4bcadf5..19745da 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
io.github.in-toto
in-toto
jar
- 0.5.0
+ 0.6.0
in-toto
https://maven.apache.org
A framework to secure software supply chains.
diff --git a/src/main/java/io/github/intoto/slsa/models/v02/Provenance.java b/src/main/java/io/github/intoto/slsa/models/v02/Provenance.java
index ae2a915..c3a4b39 100644
--- a/src/main/java/io/github/intoto/slsa/models/v02/Provenance.java
+++ b/src/main/java/io/github/intoto/slsa/models/v02/Provenance.java
@@ -9,7 +9,7 @@
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.NotNull;
-/** Implementation of the https://slsa.dev/provenance/v0.1 */
+/** Implementation of the https://slsa.dev/provenance/v0.2 */
public class Provenance extends Predicate {
/**
@@ -109,6 +109,6 @@ public int hashCode() {
@Override
public String getPredicateType() {
- return "https://slsa.dev/provenance/v0.1";
+ return "https://slsa.dev/provenance/v0.2";
}
}
diff --git a/src/main/java/io/github/intoto/slsa/models/v1/BuildDefinition.java b/src/main/java/io/github/intoto/slsa/models/v1/BuildDefinition.java
new file mode 100644
index 0000000..c40a9ff
--- /dev/null
+++ b/src/main/java/io/github/intoto/slsa/models/v1/BuildDefinition.java
@@ -0,0 +1,139 @@
+package io.github.intoto.slsa.models.v1;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotEmpty;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * The BuildDefinition describes all of the inputs to the build. It SHOULD contain all the
+ * information necessary and sufficient to initialize the build and begin execution.
+ *
+ * The externalParameters and internalParameters are the top-level inputs to the template,
+ * meaning inputs not derived from another input. Each is an arbitrary JSON object, though it is
+ * RECOMMENDED to keep the structure simple with string values to aid verification. The same field
+ * name SHOULD NOT be used for both externalParameters and internalParameters.
+ *
+ *
The parameters SHOULD only contain the actual values passed in through the interface to the
+ * build platform. Metadata about those parameter values, particularly digests of artifacts
+ * referenced by those parameters, SHOULD instead go in resolvedDependencies. The documentation for
+ * buildType SHOULD explain how to convert from a parameter to the dependency uri. For example:
+ *
+ *
+ * {@code }
+ *
+ */
+public class BuildDefinition {
+
+ /**
+ * Identifies the template for how to perform the build and interpret the parameters and
+ * dependencies.
+ *
+ * The URI SHOULD resolve to a human-readable specification that includes: overall description
+ * of the build type; schema for externalParameters and internalParameters; unambiguous
+ * instructions for how to initiate the build given this BuildDefinition, and a complete example.
+ * Example: https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1
+ */
+ @NotBlank(message = "buildType must not be empty or blank")
+ private String buildType;
+
+ /**
+ * The parameters that are under external control, such as those set by a user or tenant of the
+ * build platform. They MUST be complete at SLSA Build L3, meaning that there is no additional
+ * mechanism for an external party to influence the build. (At lower SLSA Build levels, the
+ * completeness MAY be best effort.)
+ *
+ *
The build platform SHOULD be designed to minimize the size and complexity of
+ * externalParameters, in order to reduce fragility and ease verification. Consumers SHOULD have
+ * an expectation of what “good” looks like; the more information that they need to check, the
+ * harder that task becomes.
+ *
+ *
Verifiers SHOULD reject unrecognized or unexpected fields within externalParameters.
+ */
+ @NotEmpty(message = "externalParameters must not be empty")
+ private Map externalParameters;
+
+ /**
+ * The parameters that are under the control of the entity represented by builder.id. The primary
+ * intention of this field is for debugging, incident response, and vulnerability management. The
+ * values here MAY be necessary for reproducing the build. There is no need to verify these
+ * parameters because the build platform is already trusted, and in many cases it is not practical
+ * to do so.
+ */
+ @JsonInclude(Include.NON_EMPTY)
+ private Map internalParameters;
+
+ /**
+ * Unordered collection of artifacts needed at build time. Completeness is best effort, at least
+ * through SLSA Build L3. For example, if the build script fetches and executes
+ * “example.com/foo.sh”, which in turn fetches “example.com/bar.tar.gz”, then both “foo.sh” and
+ * “bar.tar.gz” SHOULD be listed here.
+ */
+ private List resolvedDependencies;
+
+ public String getBuildType() {
+ return buildType;
+ }
+
+ public void setBuildType(String buildType) {
+ this.buildType = buildType;
+ }
+
+ public Map getExternalParameters() {
+ return externalParameters;
+ }
+
+ public void setExternalParameters(Map externalParameters) {
+ this.externalParameters = externalParameters;
+ }
+
+ public Map getInternalParameters() {
+ return internalParameters;
+ }
+
+ public void setInternalParameters(Map internalParameters) {
+ this.internalParameters = internalParameters;
+ }
+
+ public List getResolvedDependencies() {
+ return resolvedDependencies;
+ }
+
+ public void setResolvedDependencies(
+ List resolvedDependencies) {
+ this.resolvedDependencies = resolvedDependencies;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ io.github.intoto.slsa.models.v1.BuildDefinition buildDefinition = (io.github.intoto.slsa.models.v1.BuildDefinition) o;
+ return buildType.equals(buildDefinition.buildType) && Objects.equals(externalParameters,
+ buildDefinition.externalParameters)
+ && Objects.equals(internalParameters, buildDefinition.internalParameters) && Objects.equals(
+ resolvedDependencies, buildDefinition.resolvedDependencies);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(buildType, externalParameters, internalParameters,
+ resolvedDependencies);
+ }
+}
diff --git a/src/main/java/io/github/intoto/slsa/models/v1/BuildMetadata.java b/src/main/java/io/github/intoto/slsa/models/v1/BuildMetadata.java
new file mode 100644
index 0000000..3859ce6
--- /dev/null
+++ b/src/main/java/io/github/intoto/slsa/models/v1/BuildMetadata.java
@@ -0,0 +1,73 @@
+package io.github.intoto.slsa.models.v1;
+
+import com.fasterxml.jackson.annotation.JsonFormat;
+import java.time.OffsetDateTime;
+import java.util.Objects;
+
+public class BuildMetadata {
+
+ /**
+ * Identifies this particular build invocation, which can be useful for finding associated logs or
+ * other ad-hoc analysis. The exact meaning and format is defined by builder.id; by default it is
+ * treated as opaque and case-sensitive. The value SHOULD be globally unique.
+ */
+ private String invocationId;
+
+ /**
+ * The timestamp of when the build started. A point in time, represented as a string in RFC 3339
+ * format in the UTC time zone ("Z").
+ */
+ @JsonFormat(shape = JsonFormat.Shape.STRING, pattern = "yyyy-MM-dd'T'HH:mm:ssXXX")
+ private OffsetDateTime startedOn;
+
+ /**
+ * The timestamp of when the build completed.A point in time, represented as a string in RFC 3339
+ * format in the UTC time zone ("Z").
+ */
+ @JsonFormat(shape = JsonFormat.Shape.STRING, pattern = "yyyy-MM-dd'T'HH:mm:ssXXX")
+ private OffsetDateTime finishedOn;
+
+ public String getInvocationId() {
+ return invocationId;
+ }
+
+ public void setInvocationId(String invocationId) {
+ this.invocationId = invocationId;
+ }
+
+ public OffsetDateTime getStartedOn() {
+ return startedOn;
+ }
+
+ public void setStartedOn(OffsetDateTime startedOn) {
+ this.startedOn = startedOn;
+ }
+
+ public OffsetDateTime getFinishedOn() {
+ return finishedOn;
+ }
+
+ public void setFinishedOn(OffsetDateTime finishedOn) {
+ this.finishedOn = finishedOn;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ BuildMetadata buildMetadata = (BuildMetadata) o;
+ return Objects.equals(invocationId, buildMetadata.invocationId)
+ && Objects.equals(startedOn, buildMetadata.startedOn)
+ && Objects.equals(finishedOn, buildMetadata.finishedOn);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(
+ invocationId, startedOn, finishedOn);
+ }
+}
diff --git a/src/main/java/io/github/intoto/slsa/models/v1/Builder.java b/src/main/java/io/github/intoto/slsa/models/v1/Builder.java
new file mode 100644
index 0000000..c06b59f
--- /dev/null
+++ b/src/main/java/io/github/intoto/slsa/models/v1/Builder.java
@@ -0,0 +1,93 @@
+package io.github.intoto.slsa.models.v1;
+
+import jakarta.validation.constraints.NotBlank;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * The build platform, or builder for short, represents the transitive closure of all the entities
+ * that are, by necessity, trusted to faithfully run the build and record the provenance. This
+ * includes not only the software but the hardware and people involved in running the service. For
+ * example, a particular instance of Tekton could be a build platform, while Tekton itself is not.
+ * For more info, see Build model.
+ *
+ * The id MUST reflect the trust base that consumers care about. How detailed to be is a
+ * judgement call. For example, GitHub Actions supports both GitHub-hosted runners and self-hosted
+ * runners. The GitHub-hosted runner might be a single identity because it’s all GitHub from the
+ * consumer’s perspective. Meanwhile, each self-hosted runner might have its own identity because
+ * not all runners are trusted by all consumers.
+ *
+ *
Consumers MUST accept only specific signer-builder pairs. For example, “GitHub” can sign
+ * provenance for the “GitHub Actions” builder, and “Google” can sign provenance for the “Google
+ * Cloud Build” builder, but “GitHub” cannot sign for the “Google Cloud Build” builder.
+ *
+ *
Design rationale: The builder is distinct from the signer in order to support the case where
+ * one signer generates attestations for more than one builder, as in the GitHub Actions example
+ * above. The field is REQUIRED, even if it is implicit from the signer, to aid readability and
+ * debugging. It is an object to allow additional fields in the future, in case one URI is not
+ * sufficient.
+ */
+public class Builder {
+
+ /**
+ * URI indicating the builder’s identity. (TypeURI)
+ */
+ @NotBlank(message = "builder Id must not be empty or blank")
+ private String id;
+
+ /**
+ * Dependencies used by the orchestrator that are not run within the workload and that do not
+ * affect the build, but might affect the provenance generation or security guarantees.
+ */
+ private List builderDependencies;
+
+ /**
+ * Map of names of components of the build platform to their version.
+ */
+ private Map version;
+
+ public String getId() {
+ return id;
+ }
+
+ public void setId(String id) {
+ this.id = id;
+ }
+
+ public List getBuilderDependencies() {
+ return builderDependencies;
+ }
+
+ public void setBuilderDependencies(
+ List builderDependencies) {
+ this.builderDependencies = builderDependencies;
+ }
+
+ public Map getVersion() {
+ return version;
+ }
+
+ public void setVersion(Map version) {
+ this.version = version;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ io.github.intoto.slsa.models.v1.Builder builder = (io.github.intoto.slsa.models.v1.Builder) o;
+ return id.equals(builder.id) && Objects.equals(builderDependencies, builder.builderDependencies)
+ && Objects.equals(version, builder.version);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(id, version);
+ }
+}
diff --git a/src/main/java/io/github/intoto/slsa/models/v1/Provenance.java b/src/main/java/io/github/intoto/slsa/models/v1/Provenance.java
new file mode 100644
index 0000000..fc9f3cc
--- /dev/null
+++ b/src/main/java/io/github/intoto/slsa/models/v1/Provenance.java
@@ -0,0 +1,60 @@
+package io.github.intoto.slsa.models.v1;
+
+import io.github.intoto.models.Predicate;
+import jakarta.validation.constraints.NotNull;
+import java.util.Objects;
+
+public class Provenance extends Predicate {
+
+ /**
+ * The input to the build. The accuracy and completeness are implied by runDetails.builder.id.
+ */
+ @NotNull(message = "buildDefinition must not be null")
+ private BuildDefinition buildDefinition;
+
+ /**
+ * Details specific to this particular execution of the build.
+ */
+ @NotNull(message = "runDetails must not be null")
+ private RunDetails runDetails;
+
+ public BuildDefinition getBuildDefinition() {
+ return buildDefinition;
+ }
+
+ public void setBuildDefinition(BuildDefinition buildDefinition) {
+ this.buildDefinition = buildDefinition;
+ }
+
+ public RunDetails getRunDetails() {
+ return runDetails;
+ }
+
+ public void setRunDetails(RunDetails runDetails) {
+ this.runDetails = runDetails;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ Provenance provenance = (Provenance) o;
+ return Objects.equals(buildDefinition, provenance.buildDefinition)
+ && Objects.equals(runDetails, provenance.runDetails);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(
+ buildDefinition, runDetails);
+ }
+
+ @Override
+ public String getPredicateType() {
+ return "https://slsa.dev/provenance/v1";
+ }
+}
diff --git a/src/main/java/io/github/intoto/slsa/models/v1/ResourceDescriptor.java b/src/main/java/io/github/intoto/slsa/models/v1/ResourceDescriptor.java
new file mode 100644
index 0000000..2906d3a
--- /dev/null
+++ b/src/main/java/io/github/intoto/slsa/models/v1/ResourceDescriptor.java
@@ -0,0 +1,59 @@
+package io.github.intoto.slsa.models.v1;
+
+import java.util.Map;
+import java.util.Objects;
+import org.hibernate.validator.constraints.URL;
+
+public class ResourceDescriptor {
+
+ private String name;
+
+ @URL(message = "Not a valid URI")
+ private String uri;
+
+ private Map digest;
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public String getUri() {
+ return uri;
+ }
+
+ public void setUri(String uri) {
+ this.uri = uri;
+ }
+
+ public Map getDigest() {
+ return digest;
+ }
+
+ public void setDigest(Map digest) {
+ this.digest = digest;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ ResourceDescriptor resourceDescriptor = (ResourceDescriptor) o;
+ return Objects.equals(name, resourceDescriptor.name)
+ && Objects.equals(uri, resourceDescriptor.uri)
+ && Objects.equals(digest, resourceDescriptor.digest);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(
+ name, uri, digest);
+ }
+}
diff --git a/src/main/java/io/github/intoto/slsa/models/v1/RunDetails.java b/src/main/java/io/github/intoto/slsa/models/v1/RunDetails.java
new file mode 100644
index 0000000..fb3d666
--- /dev/null
+++ b/src/main/java/io/github/intoto/slsa/models/v1/RunDetails.java
@@ -0,0 +1,79 @@
+package io.github.intoto.slsa.models.v1;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
+import jakarta.validation.constraints.NotNull;
+import java.util.List;
+import java.util.Objects;
+
+public class RunDetails {
+
+ /**
+ * Identifies the build platform that executed the invocation, which is trusted to have correctly
+ * performed the operation and populated this provenance.
+ */
+ @NotNull(message = "builder must not be null")
+ private Builder builder;
+
+ /**
+ * Metadata about this particular execution of the build.
+ */
+ private BuildMetadata metadata;
+
+ /**
+ * Additional artifacts generated during the build that are not considered the “output” of the
+ * build but that might be needed during debugging or incident response. For example, this might
+ * reference logs generated during the build and/or a digest of the fully evaluated build
+ * configuration.
+ *
+ * In most cases, this SHOULD NOT contain all intermediate files generated during the build.
+ * Instead, this SHOULD only contain files that are likely to be useful later and that cannot be
+ * easily reproduced.
+ */
+ @JsonInclude(Include.NON_EMPTY)
+ private List byproducts;
+
+ public Builder getBuilder() {
+ return builder;
+ }
+
+ public void setBuilder(Builder builder) {
+ this.builder = builder;
+ }
+
+ public BuildMetadata getMetadata() {
+ return metadata;
+ }
+
+ public void setMetadata(BuildMetadata metadata) {
+ this.metadata = metadata;
+ }
+
+ public List getByproducts() {
+ return byproducts;
+ }
+
+ public void setByproducts(List byproducts) {
+ this.byproducts = byproducts;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ RunDetails runDetails = (RunDetails) o;
+ return Objects.equals(builder, runDetails.builder)
+ && Objects.equals(metadata, runDetails.metadata)
+ && Objects.equals(byproducts, runDetails.byproducts);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(
+ builder, metadata, byproducts);
+ }
+}
diff --git a/src/test/java/io/github/intoto/helpers/provenance02/IntotoHelperTest.java b/src/test/java/io/github/intoto/helpers/provenance02/IntotoHelperTest.java
index 6cec1bb..4ac7b6c 100644
--- a/src/test/java/io/github/intoto/helpers/provenance02/IntotoHelperTest.java
+++ b/src/test/java/io/github/intoto/helpers/provenance02/IntotoHelperTest.java
@@ -91,7 +91,7 @@ public class IntotoHelperTest {
+ " \"sha256\" : \"d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2\"\n"
+ " }\n"
+ " } ],\n"
- + " \"predicateType\" : \"https://slsa.dev/provenance/v0.1\",\n"
+ + " \"predicateType\" : \"https://slsa.dev/provenance/v0.2\",\n"
+ " \"predicate\" : {\n"
+ " \"builder\" : {\n"
+ " \"id\" : \"mailto:person@example.com\"\n"
@@ -163,7 +163,7 @@ public void validateAndTransformToJson_shouldTransformStatementToJsonString_With
+ " \"sha256\" : \"d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2\"\n"
+ " }\n"
+ " } ],\n"
- + " \"predicateType\" : \"https://slsa.dev/provenance/v0.1\",\n"
+ + " \"predicateType\" : \"https://slsa.dev/provenance/v0.2\",\n"
+ " \"predicate\" : {\n"
+ " \"builder\" : {\n"
+ " \"id\" : \"mailto:person@example.com\"\n"
@@ -618,9 +618,9 @@ public void createPreAuthenticationEncoding_shouldCorrectlyEncode_withUtfCharact
final String EXPECTED_JSON_ENVELOPE =
"{\n"
+ " \"payloadType\" : \"application/vnd.in-toto+json\",\n"
- + " \"payload\" : \"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJjdXJsLTcuNzIuMC50YXIuYnoyIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImQ0ZDU4OTlhMzg2OGZiYjZhZTE4NTZjM2U1NWEzMmNlMzU5MTNkZTM5NTZkMTk3M2NhY2NkMzdiZDAxNzRmYTIifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YwLjEiLCJwcmVkaWNhdGUiOnsiYnVpbGRlciI6eyJpZCI6Im1haWx0bzpwZXJzb25AZXhhbXBsZS5jb20ifSwiYnVpbGRUeXBlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9NYWtlZmlsZSIsImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7InVyaSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vZXhhbXBsZS0xLjIuMy50YXIuZ3oiLCJkaWdlc3QiOnsic2hhMjU2IjoiMzIzZDMyM2VkdmdkIn0sImVudHJ5UG9pbnQiOiJzcmM6Zm9vIn19LCJtYXRlcmlhbHMiOlt7InVyaSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vZXhhbXBsZS0xLjIuMy50YXIuZ3oiLCJkaWdlc3QiOnsic2hhMjU2IjoiMTIzNC4uLiJ9fV19fQ==\",\n"
+ + " \"payload\" : \"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJjdXJsLTcuNzIuMC50YXIuYnoyIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImQ0ZDU4OTlhMzg2OGZiYjZhZTE4NTZjM2U1NWEzMmNlMzU5MTNkZTM5NTZkMTk3M2NhY2NkMzdiZDAxNzRmYTIifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YwLjIiLCJwcmVkaWNhdGUiOnsiYnVpbGRlciI6eyJpZCI6Im1haWx0bzpwZXJzb25AZXhhbXBsZS5jb20ifSwiYnVpbGRUeXBlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9NYWtlZmlsZSIsImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7InVyaSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vZXhhbXBsZS0xLjIuMy50YXIuZ3oiLCJkaWdlc3QiOnsic2hhMjU2IjoiMzIzZDMyM2VkdmdkIn0sImVudHJ5UG9pbnQiOiJzcmM6Zm9vIn19LCJtYXRlcmlhbHMiOlt7InVyaSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vZXhhbXBsZS0xLjIuMy50YXIuZ3oiLCJkaWdlc3QiOnsic2hhMjU2IjoiMTIzNC4uLiJ9fV19fQ==\",\n"
+ " \"signatures\" : [ {\n"
- + " \"sig\" : \"RFNTRXYxIDI4IGFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24gNTYyIHsiX3R5cGUiOiJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YwLjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiY3VybC03LjcyLjAudGFyLmJ6MiIsImRpZ2VzdCI6eyJzaGEyNTYiOiJkNGQ1ODk5YTM4NjhmYmI2YWUxODU2YzNlNTVhMzJjZTM1OTEzZGUzOTU2ZDE5NzNjYWNjZDM3YmQwMTc0ZmEyIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4xIiwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJtYWlsdG86cGVyc29uQGV4YW1wbGUuY29tIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vTWFrZWZpbGUiLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJodHRwczovL2V4YW1wbGUuY29tL2V4YW1wbGUtMS4yLjMudGFyLmd6IiwiZGlnZXN0Ijp7InNoYTI1NiI6IjMyM2QzMjNlZHZnZCJ9LCJlbnRyeVBvaW50Ijoic3JjOmZvbyJ9fSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJodHRwczovL2V4YW1wbGUuY29tL2V4YW1wbGUtMS4yLjMudGFyLmd6IiwiZGlnZXN0Ijp7InNoYTI1NiI6IjEyMzQuLi4ifX1dfX0=\",\n"
+ + " \"sig\" : \"RFNTRXYxIDI4IGFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24gNTYyIHsiX3R5cGUiOiJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YwLjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiY3VybC03LjcyLjAudGFyLmJ6MiIsImRpZ2VzdCI6eyJzaGEyNTYiOiJkNGQ1ODk5YTM4NjhmYmI2YWUxODU2YzNlNTVhMzJjZTM1OTEzZGUzOTU2ZDE5NzNjYWNjZDM3YmQwMTc0ZmEyIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJtYWlsdG86cGVyc29uQGV4YW1wbGUuY29tIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vTWFrZWZpbGUiLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJodHRwczovL2V4YW1wbGUuY29tL2V4YW1wbGUtMS4yLjMudGFyLmd6IiwiZGlnZXN0Ijp7InNoYTI1NiI6IjMyM2QzMjNlZHZnZCJ9LCJlbnRyeVBvaW50Ijoic3JjOmZvbyJ9fSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJodHRwczovL2V4YW1wbGUuY29tL2V4YW1wbGUtMS4yLjMudGFyLmd6IiwiZGlnZXN0Ijp7InNoYTI1NiI6IjEyMzQuLi4ifX1dfX0=\",\n"
+ " \"keyid\" : \"Fake-Signer-Key-ID\"\n"
+ " } ]\n"
+ "}";
@@ -674,7 +674,7 @@ public void createPreAuthenticationEncoding_shouldCorrectlyEncode_withUtfCharact
assertNotNull(intotoEnvelope);
final String EXPECTED_DSSE_PAYLOAD =
- "DSSEv1 28 application/vnd.in-toto+json 562 {\"_type\":\"https://in-toto.io/Statement/v0.1\",\"subject\":[{\"name\":\"curl-7.72.0.tar.bz2\",\"digest\":{\"sha256\":\"d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2\"}}],\"predicateType\":\"https://slsa.dev/provenance/v0.1\",\"predicate\":{\"builder\":{\"id\":\"mailto:person@example.com\"},\"buildType\":\"https://example.com/Makefile\",\"invocation\":{\"configSource\":{\"uri\":\"https://example.com/example-1.2.3.tar.gz\",\"digest\":{\"sha256\":\"323d323edvgd\"},\"entryPoint\":\"src:foo\"}},\"materials\":[{\"uri\":\"https://example.com/example-1.2.3.tar.gz\",\"digest\":{\"sha256\":\"1234...\"}}]}}";
+ "DSSEv1 28 application/vnd.in-toto+json 562 {\"_type\":\"https://in-toto.io/Statement/v0.1\",\"subject\":[{\"name\":\"curl-7.72.0.tar.bz2\",\"digest\":{\"sha256\":\"d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2\"}}],\"predicateType\":\"https://slsa.dev/provenance/v0.2\",\"predicate\":{\"builder\":{\"id\":\"mailto:person@example.com\"},\"buildType\":\"https://example.com/Makefile\",\"invocation\":{\"configSource\":{\"uri\":\"https://example.com/example-1.2.3.tar.gz\",\"digest\":{\"sha256\":\"323d323edvgd\"},\"entryPoint\":\"src:foo\"}},\"materials\":[{\"uri\":\"https://example.com/example-1.2.3.tar.gz\",\"digest\":{\"sha256\":\"1234...\"}}]}}";
SimpleECDSAVerifier verifier = new SimpleECDSAVerifier();