diff --git a/content/en/about/bundle.md b/content/en/about/bundle.md new file mode 100644 index 00000000..108fb431 --- /dev/null +++ b/content/en/about/bundle.md @@ -0,0 +1,298 @@ +# Sigstore Bundle + +October 31, 2024 + +Version 0.3.2 + +This document describes the data structure for storing Sigstore signatures generated by tooling +working in the context of the Sigstore Public Instance. It includes `json` examples of +serialized bundles of the current bundle format version. It may exclude descriptions of parameters +that continue to exist for compatibility reasons or for private use cases. For a full description of +the format, the formal schema and information about language library support see +[sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs). + +## Bundle + +A Sigstore bundle is everything required to verify a signature on an artifact. This +is satisfied by the **Verification Material** and signature **Content**. + +### Verification Material + +This is key materical used to verify signatures along with supporting metadata like transparency log entries and timestamps. Bundles must include at least one transpareny log's signed entry timestamp or an rfc3161 timestamp to provide proof of signing time. + +#### Key Material + +A single X.509 leaf certificate conveying the signing key and containing [extensions](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md) +for identities consumed at verification time. This is the recommended `"verificationMaterial"` type +for use with the public Sigstore infrastructure. + +```json +"verificationMaterial": { + "certificate": { + "rawBytes": "" + } +} +``` + +#### Transparency Log Entries + +One or more transparency logs entries to provide proof of inclusion in a public log and optionally a timestamp to +validate signing occurred at a valid point in time. + +```json +"verificationMaterial": { + "tlogEntries": [ + { + "logIndex": "", + "logId": { + "keyId": "", + }, + "kindVersion": { + "kind": "(hashrekord | dsse)", + "version": "" + }, + "integratedTime": "", + "inclusionPromise": { + "signedEntryTimestamp": "" + }, + "inclusionProof": { + "logIndex": "", + "rootHash": "", + "treeSize": "", + "hashes": [ + "", + "", + "" + ], + "checkpoint": { + "envelope": "" + } + }, + "canonicalizedBody": "" + }, + ] +} +``` + +#### Timestamp + +Zero or more [RFC3161](https://www.ietf.org/rfc/rfc3161.txt) timestamps to validate signing occurred at a valid point in time + +```json +"verificationMaterial": { + "timestampVerificationData": { + "rfc3161Timestamps": [ + { + "signedTimestamp": "Base64(RFC3161 TIMESTAMP)" + }, + ] + } +} +``` + + +### Content + +This is the signature data for which the Verification Material is defined over. It must be one of +**Message Signature** over an artifact hash or a **DSSE** envelope for for attestations. + +#### Message Signature + +This is a computed signature over a message (typically an arifact hash). It may contain a +`message_digest` for informational purposes, but it must be provided or computed from a provided +artifact at verification time. + +```json +"messageSignature": { + "messageDigest": { + "algorithm": "", + "digest": "" + }, + "signature": "" +} +``` + +#### DSSE + +A DSSE envelope can contain arbitrary payloads. Currently clients only process the +payload type `"application/vnd.in-toto+json"`. Verifiers must verify that the payload type is a +supported and expected type. DSSE envelopes contained in a Sigstore Bundle must only contain a +single signature (the DSSE spec allows multiple). + +```json +"dsseEnvelope": { + { + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [{ + "keyid": "", + "sig": "" + }] + } +} +``` + +## Examples + +Here are some example bundles from the Sigstore public infrastructure. + +#### Message Signature Bundle + +Bundle with Message Signature over an artifact ([sigstore-java-1.0.0.jar](https://repo1.maven.org/maven2/dev/sigstore/sigstore-java/1.0.0/sigstore-java-1.0.0.jar.sigstore.json)). +This example includes a single transparency log entry with a signed entry timestamp for +signing time verification. + +```json +{ + "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", + "verificationMaterial": { + "tlogEntries": [{ + "logIndex": "125680200", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "hashedrekord", + "version": "0.0.1" + }, + "integratedTime": "1724870676", + "inclusionPromise": { + "signedEntryTimestamp": "MEYCIQCAKWrmj0LZ77rfiMXEat9gCCJxX4pgQfZqNc+tvF7gaAIhAJFtyypsWCbLDJ+NAMzPoY1AkQ1inhhQ3pZC5PaBCI8C" + }, + "inclusionProof": { + "logIndex": "3775938", + "rootHash": "nEpjeg/gaT1EOcKQAr3q/XGdnuKzLsf4UhgZrwtTU+8=", + "treeSize": "3775939", + "hashes": ["vNwG4wbIsTeCSn9JageqhtCb6VvgYEKSw3Xro8zMF3s=", "3Cue+tnRytahmzjIHIig4/fKMN9WAQmi/8g4Fdk6+8k=", "2EvX4swCFD/LILwJKa300/8gGp/NrdPRJmS5xD5vTKE=", "7hEYrEVIERVjsDqdu600HLZ8gNcv7a45T2PI6RSmuzQ=", "Uh7WsOJYvurV8PIbjfhlLyW+CP+/HENUKB4tooMfNZo=", "Qs+LtoqLx2sFhSJUuUlbJs13xTJzH7lVPpEKpXBZyvI=", "kM4w7ZLh5iktz4xR9ECXn9elEJIaqockScafEFL7ieY=", "LomN2mlfw+qbbFGvCNfr3vCBrZ4EU/lqnL4TO0yc9Zw=", "22569ZiSqZcajfTf9Ct4LFEWDtLlHeaTpoPCFqeZtWQ=", "QxmVWsbTp4cClxuAkuT51UH2EY7peHMVGKq7+b+cGwQ=", "Q2LAtNzOUh+3PfwfMyNxYb06fTQmF3VeTT6Fr6Upvfc=", "ftwAu6v62WFDoDmcZ1JKfrRPrvuiIw5v3BvRsgQj7N8="], + "checkpoint": { + "envelope": "rekor.sigstore.dev - 1193050959916656506\n3775939\nnEpjeg/gaT1EOcKQAr3q/XGdnuKzLsf4UhgZrwtTU+8\u003d\n\n— rekor.sigstore.dev wNI9ajBEAiA/TrOctVDd1vjn/IrzCU8Fm7mhUlJ2FN739iGpqMomHgIgRwwqXaijp0RRTgyRxYUsCZ6LFvewTTEyaPmO4vHKqgk\u003d\n" + } + }, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1YmUyNmYxNzc3YTM1MWEyZjc3MGU5MWRiY2VhZTBhYWEzZjZlMjZlOGFkMjE4YzZhYzE2Y2FhNzgzYTVhYTBkIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQWxWTTlHR0VGV2dXYjJzdCtHRVlVVUphTXhGZXYxYlc2TVRzV2RnYks1YkFpRUFvWFhKTlFBQ1JGNG82OEx0V0dvVFdKZWVzekRrRXZlUWthOFQ2KzhYeTRBPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVaGFSRU5EUW5WeFowRjNTVUpCWjBsVlFVOTVWMWswTUdOdVJXbHNWMnhPYm1GVlJtaEdZMmR0YURoemQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDlFU1RSTlZHY3dUa1JOTUZkb1kwNU5hbEYzVDBSSk5FMVVaekZPUkUwd1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZRYkdwbFpuWmpibXd4YVhaQmF6RlJRalZFZG5Nd1VYVm1iRWRxUmxObFYxUlFMMDhLZEcxaE4yNXlRMVJZUjFGMFVXZEVTVzVLVTFKeFRWTTNWRE4yWjJ0MlpYTXlVMUUyWkVGR2JXeDBURWxYWjBsS2R6WlBRMEpuYTNkbloxbEdUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZRZDNGa0NtTlhaMjlHYjJadWJsTmtWekJ3U0hkclJtaHZhMUJOZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJabldVUldVakJTUVZGSUwwSklVWGRqYjFwM1lVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROT2NGb3pUakJpTTBwc1RETk9jQXBhTTA0d1lqTktiRXhYY0doa2JVVjJURzFrY0dSSGFERlphVGt6WWpOS2NscHRlSFprTTAxMlkyMVdjMXBYUm5wYVV6RjZZVmRrZW1SSE9YbGFVekZ4Q2xsWVdtaE1WMXA1WWpJd2RHUkhSbTVNYm14b1lsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYaE1ha0YxVFVSQk5VSm5iM0pDWjBWRlFWbFBMMDFCUlVJS1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG14amJVNTJZbTVTYkdKdVVYVlpNamwwVFVJNFJ3cERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkbU50ZEcxaVJ6a3pXREpTY0dNelFtaGtSMDV2VFVSWlIwTnBjMGRCVVZGQ1p6YzRkMEZSVFVWTFIxRjVDazVxUVhwTmVsRXdXVlJyZWs1VVpHcFphbU42VFZSUmVWa3lTVEpPVjA1b1dtcFdiVTE2Ykd0YVIwa3dUV3BuZWs5VVZYZFVaMWxMUzNkWlFrSkJSMFFLZG5wQlFrSkJVa0ZWYlZaeldsZEdlbHBUUW5waFYyUjZaRWM1ZVZwVE1YRlpXRnBvU1VkR2RWcERRbnBoVjJSNlpFYzVlVnBUTVhSWldGcHNZbWt4ZHdwaVNGWnVZVmMwWjJSSE9HZFVWMFl5V2xjMFoxRXlWblZrU0Vwb1lrUkJhMEpuYjNKQ1owVkZRVmxQTDAxQlJVWkNRbHA2WVZka2VtUkhPWGxhVXpsNkNtRlhaSHBrUnpsNVdsTXhjVmxZV21oTlFqUkhRMmx6UjBGUlVVSm5OemgzUVZGWlJVVklTbXhhYmsxMlpFZEdibU41T1RKTlV6UjNUR3BCZDA5M1dVc0tTM2RaUWtKQlIwUjJla0ZDUTBGUmRFUkRkRzlrU0ZKM1kzcHZka3d6VW5aaE1sWjFURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kZ3BpYmxKc1ltNVJkVmt5T1hSTlNVZEJRbWR2Y2tKblJVVkJXVTh2VFVGRlNrSklTVTFqUjJnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw2Q21GWFpIcGtSemw1V2xNNWVtRlhaSHBrUnpsNVdsTXhjVmxZV21oTWVUVnVZVmhTYjJSWFNYWmtNamw1WVRKYWMySXpaSHBNTTBwc1lrZFdhR015VlhRS1l6SnNibU16VW5aamJWVjBZVzFHTWxsVE1XMWpiVGwwVEZoU2FGcDVOVFZaVnpGelVVaEtiRnB1VFhaa1IwWnVZM2s1TWsxVE5IZE1ha0YzVDBGWlN3cExkMWxDUWtGSFJIWjZRVUpEWjFGeFJFTm9hMDFxV1hkTmVrMHdUa2RGTlUxNlZUTlpNa2t6VFhwRk1FMXRUbWxPYWxacVdWZFpNVnBxVFRWYVIxSnBDazVFU1RSTmVtc3hUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJjMFZFZDNkT1dqSnNNR0ZJVm1sTVYyaDJZek5TYkZwRVFUVkNaMjl5UW1kRlJVRlpUeThLVFVGRlRVSkRjMDFMVjJnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw2WVZka2VtUkhPWGxhVXpsNllWZGtlbVJIT1hsYVV6RnhXVmhhYUFwTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZFd1JVdG5kMjlhUkVreVRVUk5lazVFVW1oUFZFMHhUakpPYVU1NlRYaE9SRXBxV1dwWk1Wa3lSbTFPVjFsNkNrOVhVbXRaYWxGNVQwUk5OVTVVUVdkQ1oyOXlRbWRGUlVGWlR5OU5RVVZQUWtKSlRVVklTbXhhYmsxMlpFZEdibU41T1RKTlV6UjNUR3BCZDBkUldVc0tTM2RaUWtKQlIwUjJla0ZDUkhkUlRFUkJhekJPYWtGNFQwUlJNMDFFWjNkTGQxbExTM2RaUWtKQlIwUjJla0ZDUlVGUlpFUkNkRzlrU0ZKM1kzcHZkZ3BNTW1Sd1pFZG9NVmxwTldwaU1qQjJZekpzYm1NelVuWmpiVlYzUjBGWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVV0RVFXY3pUVlJCTlU1cVRURk5la05DQ21kQldVdExkMWxDUWtGSFJIWjZRVUpGWjFKNVJFaENiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkbU15Ykc0S1l6TlNkbU50VlhSaGJVWXlXVk00ZFZveWJEQmhTRlpwVEROa2RtTnRkRzFpUnprelkzazVlVnBYZUd4WldFNXNURmhPY0ZvelRqQmlNMHBzVEZkd2FBcGtiVVYwV201S2RtSlRNVEJaVjJOMVpWZEdkR0pGUW5sYVYxcDZURE5TYUZvelRYWmtha1YxVFVNMGQwMUVaMGREYVhOSFFWRlJRbWMzT0hkQlVrMUZDa3RuZDI5YVJFa3lUVVJOZWs1RVVtaFBWRTB4VGpKT2FVNTZUWGhPUkVwcVdXcFpNVmt5Um0xT1YxbDZUMWRTYTFscVVYbFBSRTAxVGxSQmFFSm5iM0lLUW1kRlJVRlpUeTlOUVVWVlFrSk5UVVZZWkhaamJYUnRZa2M1TTFneVVuQmpNMEpvWkVkT2IwMUdNRWREYVhOSFFWRlJRbWMzT0hkQlVsVkZWSGQ0VGdwaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WM0JvWkcxRmRsbFhUakJoVnpsMUNtTjVPWGxrVnpWNlRIcEZkMDVxUVhsT1JGRXlUMVJGTUV3eVJqQmtSMVowWTBoU2VreDZSWGRHWjFsTFMzZFpRa0pCUjBSMmVrRkNSbWRSU1VSQlduY0taRmRLYzJGWFRYZG5XVzlIUTJselIwRlJVVUl4Ym10RFFrRkpSV1pCVWpaQlNHZEJaR2RFWkZCVVFuRjRjMk5TVFcxTldraG9lVnBhZW1ORGIydHdaUXAxVGpRNGNtWXJTR2x1UzBGTWVXNTFhbWRCUVVGYVIyRlVZMjA0UVVGQlJVRjNRa2hOUlZWRFNVaFhiVkpGYVhZNVRrbHlUbnBDTkhoMFVVSkRaa1pUQ25waVNUY3paREV4VlVvMVVUQnRORlJHVlZvMFFXbEZRVGMwTW1WQ2RsaG1hVXhrVFN0dksyOUlZbVJ6UjJsTEwzcHBjMXAyZUV4c2IzQmhTRXQ1U0NzS1ZrRlpkME5uV1VsTGIxcEplbW93UlVGM1RVUmhRVUYzV2xGSmVFRkxjRzVXYUc5dFluUmlSV1YyVFVsU1MyVmlXWEphVm1NMFlsUmlZVmxyYUVOMVNBcDVMMmRVWW00cmFXeHVSWEphY1hsNlVGQkNkWEYzZEc1c1NHZDBiMUZKZDBVMmJGTnBSbE52VmtsblIwNWpXVVIxUWxWRmNIbFZhR2xGV0VodE5UVkhDbEp2YnpneVRYSmpNMlIzV0dkR1FqRk1LM1l2Y1ZwSFpFOWtVazFtY2k5aENpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19" + }], + "certificate": { + "rawBytes": "MIIHZDCCBuqgAwIBAgIUAOyWY40cnEilWlNnaUFhFcgmh8swCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwODI4MTg0NDM0WhcNMjQwODI4MTg1NDM0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPljefvcnl1ivAk1QB5Dvs0QuflGjFSeWTP/Otma7nrCTXGQtQgDInJSRqMS7T3vgkves2SQ6dAFmltLIWgIJw6OCBgkwggYFMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUPwqdcWgoFofnnSdW0pHwkFhokPMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wfgYDVR0RAQH/BHQwcoZwaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWphdmEvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS1zaWdzdG9yZS1qYXZhLWZyb20tdGFnLnlhbWxAcmVmcy90YWdzL3YxLjAuMDA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKGQyNjAzMzQ0YTkzNTdjYjczMTQyY2I2NWNhZjVmMzlkZGI0MjgzOTUwTgYKKwYBBAGDvzABBARAUmVsZWFzZSBzaWdzdG9yZS1qYXZhIGFuZCBzaWdzdG9yZS1tYXZlbi1wbHVnaW4gdG8gTWF2ZW4gQ2VudHJhbDAkBgorBgEEAYO/MAEFBBZzaWdzdG9yZS9zaWdzdG9yZS1qYXZhMB4GCisGAQQBg78wAQYEEHJlZnMvdGFncy92MS4wLjAwOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIGABgorBgEEAYO/MAEJBHIMcGh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qYXZhLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2Utc2lnc3RvcmUtamF2YS1mcm9tLXRhZy55YW1sQHJlZnMvdGFncy92MS4wLjAwOAYKKwYBBAGDvzABCgQqDChkMjYwMzM0NGE5MzU3Y2I3MzE0MmNiNjVjYWY1ZjM5ZGRiNDI4Mzk1MB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDA5BgorBgEEAYO/MAEMBCsMKWh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qYXZhMDgGCisGAQQBg78wAQ0EKgwoZDI2MDMzNDRhOTM1N2NiNzMxNDJjYjY1Y2FmNWYzOWRkYjQyODM5NTAgBgorBgEEAYO/MAEOBBIMEHJlZnMvdGFncy92MS4wLjAwGQYKKwYBBAGDvzABDwQLDAk0NjAxODQ3MDgwKwYKKwYBBAGDvzABEAQdDBtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUwGAYKKwYBBAGDvzABEQQKDAg3MTA5NjM1MzCBgAYKKwYBBAGDvzABEgRyDHBodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtamF2YS8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLXNpZ3N0b3JlLWphdmEtZnJvbS10YWcueWFtbEByZWZzL3RhZ3MvdjEuMC4wMDgGCisGAQQBg78wARMEKgwoZDI2MDMzNDRhOTM1N2NiNzMxNDJjYjY1Y2FmNWYzOWRkYjQyODM5NTAhBgorBgEEAYO/MAEUBBMMEXdvcmtmbG93X2Rpc3BhdGNoMF0GCisGAQQBg78wARUETwxNaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWphdmEvYWN0aW9ucy9ydW5zLzEwNjAyNDQ2OTE0L2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAZGaTcm8AAAEAwBHMEUCIHWmREiv9NIrNzB4xtQBCfFSzbI73d11UJ5Q0m4TFUZ4AiEA742eBvXfiLdM+o+oHbdsGiK/zisZvxLlopaHKyH+VAYwCgYIKoZIzj0EAwMDaAAwZQIxAKpnVhombtbEevMIRKebYrZVc4bTbaYkhCuHy/gTbn+ilnErZqyzPPBuqwtnlHgtoQIwE6lSiFSoVIgGNcYDuBUEpyUhiEXHm55GRoo82Mrc3dwXgFB1L+v/qZGdOdRMfr/a" + } + }, + "messageSignature": { + "messageDigest": { + "algorithm": "SHA2_256", + "digest": "W+JvF3ejUaL3cOkdvOrgqqP24m6K0hjGrBbKp4Olqg0=" + }, + "signature": "MEUCIAlVM9GGEFWgWb2st+GEYUUJaMxFev1bW6MTsWdgbK5bAiEAoXXJNQACRF4o68LtWGoTWJeeszDkEveQka8T6+8Xy4A=" + } +} +``` + + +#### DSSE Bundle +Bundle with DSSE Envelope over a provenance attestation. This example includes a transparency log entry and an rfc3161 timestamp. + +```json +{ + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.2", + "verificationMaterial": { + "x509CertificateChain": { + "certificates": [ + { + "rawBytes": "MIIDNDCCAtqgAwIBAgIEERggBDAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0yMzAyMDEwMDAwMDBaFw0yMzAyMDEwMDEwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3rsXlKKGObv+Z08sAjs0tyxlzSTKkaFRiy7vjZaFMRQOZ76QKwGFefLkeGwuafSKyLbzhjIghOrUzjS+WFAMHo4ICFTCCAhEwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIGlBgNVHREBAf8EgZowgZeGgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMB0GA1UdDgQWBBTnwHeBmPc9IrZmBemOaHy4lwv7KDAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTCBiQYKKwYBBAHWeQIEAgR7BHkAdwB1APcmyqNBF7qRZUSvNzTpIM1MSS73XOYij9wE7v8vPyfdAAABhgpF7AAAAAQDAEYwRAIgORF50hYRIFl2Hgc0vOJfpMjU8gY7BtGfz0oZePlxG4gCIDl6SXQe1+96ENWqM6+5wxbIUgHL8T3+no43cyuEAe+NMAoGCCqGSM49BAMDA0gAMEUCICqL+qLpRbTPXn6Ri/VId0ejKBNE/B1pm91uOye/COmVAiEAnkRk1n/fPy8cGs6+i+q7bMMl+X2Cm51odIrMI9PbjMw=" + } + ] + }, + "tlogEntries": [ + { + "logIndex": "4288993", + "logId": { + "keyId": "9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1675209600", + "inclusionPromise": { + "signedEntryTimestamp": "MEQCIGkdiEwwfehfHGLM0qerjqUifnolYl8guuPHdBGUl2kSAiBeo/KfkIKVsCXAbn9hnsUhXSewAsAzfDGdIHsuloSpLw==" + }, + "inclusionProof": { + "logIndex": "0", + "rootHash": "pc42iecujVMfPva3JcoWyQU9W6llYb+A2LsgE2O5pg0=", + "treeSize": "1", + "hashes": [], + "checkpoint": { + "envelope": "localhost:8000 - 124190645164477\n1\npc42iecujVMfPva3JcoWyQU9W6llYb+A2LsgE2O5pg0=\nTimestamp: 1675209600000000000\n\n— localhost:8000 9ybKozBGAiEAkhPYcKegqWJbVTaEYJHp0rpn3CZjmyqD2unDIfg5tEQCIQC5VNMY5qTG83VuWL2eEbEWhFF3WNWDuaM3PqbvtUXR4w==\n" + } + }, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWQiOiJaWGR2WjBsRFNtWmtTR3gzV2xOSk5rbERTbTlrU0ZKM1kzcHZka3d5YkhWTVdGSjJaRWM0ZFdGWE9IWlZNMUpvWkVkV2RGcFhOVEJNTTFsNFNXbDNTMGxEUVdsak0xWnBZVzFXYW1SRFNUWkpSbk5MU1VOQlowbEljMHRKUTBGblNVTkJaMGx0TldoaVYxVnBUMmxCYVZwRE5UQmxTRkZwVEVGdlowbERRV2RKUTBGcFdrZHNibHBZVGpCSmFtOW5aWGR2WjBsRFFXZEpRMEZuU1VOS2VtRkhSWGxPVkZscFQybEJhVTE2VFhkWlZFRXdUWHBKZVUxSFdtaE5WRTVzVFVSR2EwNXFhR2hPTWxKcFRYcHNhazlFYkd4TlZFcHBUVWROTUZsNlRtbE9iVVYzVFhwUk1scHRWVEpOYWxKcFRVUnJkMDB5V1hoTmVrRjZXV3BXYVUxcFNVdEpRMEZuU1VOQloyWlJiMmRKUTBGblpsRnZaMGxHTUhORGFVRm5TVzVDZVZwWFVuQlpNa1l3V2xaU05XTkhWV2xQYVVGcFlVaFNNR05JVFRaTWVUbDZZa2hPYUV4dFVteGthVGwzWTIwNU1scFhOV2hpYlU1c1RETlplRWxwZDB0SlEwRnBZMGhLYkZwSGJHcFpXRkpzU1dwdloyVjNiMmRKUTBGblNXMUtNV0ZYZUd0U1IxWnRZVmMxY0dSSGJIWmlhVWsyU1VoelMwbERRV2RKUTBGblNXMUtNV0ZYZUd0V1NHeDNXbE5KTmtsRFNtOWtTRkozWTNwdmRrd3pUbk5qTWtWMFdtNUthR0pYVmpOaU0wcHlURzFrY0dSSGFERlphVFZ3WW5rNWJtRllVbTlrVjBsMFdWZE9NR0ZYT1hWamVURnBaRmRzYzFwSVVqVmpSMVo2VEROa2RtTnRkRzFpUnprelRETlplRWxwZDB0SlEwRm5TVU5CWjBsdFZqUmtSMVo1WW0xR2MxVkhSbmxaVnpGc1pFZFdlV041U1RaSlNITkxTVU5CWjBsRFFXZEpRMEZwWkRJNWVXRXlXbk5pTTJOcFQybENOME5wUVdkSlEwRm5TVU5CWjBsRFFXbGpiVlp0U1dwdlowbHVTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbWxKYzBOcFFXZEpRMEZuU1VOQlowbERRV2xqYlZaM1lqTk9jR1JIT1hsbFUwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRGa3lPWFZhYlRsNVlsZEdkVmt5VldsTVFXOW5TVU5CWjBsRFFXZEpRMEZuU1c1Q2FHUkhaMmxQYVVGcFRHMWtjR1JIYURGWmFUa3pZak5LY2xwdGVIWmtNMDEyV1RJNWRWcHRPWGxpVjBaMVdUSlZkV1ZYTVhOSloyOW5TVU5CWjBsRFFXZEpTREJMU1VOQlowbERRV2RtVTNkTFNVTkJaMGxEUVdkSmJXeDFaRWRXZVdKdFJuTlZSMFo1V1ZjeGJHUkhWbmxqZVVrMlNVaHpTMGxEUVdkSlEwRm5TVU5CYVZveWJEQmhTRlpwU1dwdloyVjNiMmRKUTBGblNVTkJaMGxEUVdkSmJWWXlXbGMxTUZneU5XaGlWMVZwVDJsQmFXTklWbnBoUTBselEybEJaMGxEUVdkSlEwRm5TVU5CYVdOdFZuZGlNMDV3WkVjNWVXVldPWEJhUTBrMlNVTkpNVTVFUlRSUFZFMTRUMFJaYVV4QmIyZEpRMEZuU1VOQlowbERRV2RKYmtwc1kwYzVlbUZZVW5aamJteG1Zak5rZFZwWVNtWmhWMUZwVDJsQmFVNTZSWGRQVkZsNlRsUk5hVU5wUVdkSlEwRm5TVU5CWjJaUmIyZEpRMEZuU1VOQ09VeEJiMmRKUTBGblNVTkJhV050Vm5waU1uZ3lXbGRTUlZwWVFteGliVkpzWW0xT2NGcFlUV2xQYVVKaVEybEJaMGxEUVdkSlEwRm5aWGR2WjBsRFFXZEpRMEZuU1VOQlowbHVWbmxoVTBrMlNVTktibUZZVVhKaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WMDUyWW0xYWRtTnRNV2hpYlU1c1VVaEtiRnB1VFhaaFIxWm9Xa2hOZG1KWFJuQmlhVWx6UTJsQlowbERRV2RKUTBGblNVTkJhVnBIYkc1YVdFNHdTV3B2WjJWM2IyZEpRMEZuU1VOQlowbERRV2RKUTBGcFdqSnNNRkV5T1hSaVYyd3dTV3B2WjBsdFRURmFhbFp0V1dwSk1VNVVSVEpOTWxaclQwUldhMXBIU1hwTmJWRXhUa2RTYWxwSFVUTk5WRUpvV1hwT2JVMUVVVEpOUkUxcFEybEJaMGxEUVdkSlEwRm5TVU5DT1VOcFFXZEpRMEZuU1VOQloyWlJiMmRKUTBGblNVTkNaRU5wUVdkSlEwSTVURUZ2WjBsRFFXZEpia294WW10U2JHUkhSbkJpU0UxcFQybENOME5wUVdkSlEwRm5TVU5LYVdSWGJITmFSMVo1U1dwdloyVjNiMmRKUTBGblNVTkJaMGxEU25CYVEwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbGxYVGpCaFZ6bDFZM2s1ZVdSWE5YVmFXRWwyV2pKc01HRklWbWxNVjJoMll6TlNiRnBEU1V0SlEwRm5TVU5CWjJaVGQwdEpRMEZuU1VOQlowbHRNV3hrUjBacldWaFNhRWxxYjJkbGQyOW5TVU5CWjBsRFFXZEpRMHB3WW01YWRsa3lSakJoVnpsMVUxZFJhVTlwUVdsaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WMDUyWW0xYWRtTnRNV2hpYlU1c1RESkdhbVJIYkhaaWJrMTJZMjVXZFdONU9ETk5WR042VG1wSmQwOVVSWGRNTWtZd1pFZFdkR05JVW5wTWVrVnBRMmxCWjBsRFFXZEpTREJMU1VOQlowbElNRXRKUTBJNVEyNHdTdz09IiwicGF5bG9hZFR5cGUiOiJhcHBsaWNhdGlvbi92bmQuaW4tdG90bytqc29uIiwic2lnbmF0dXJlcyI6W3sicHVibGljS2V5IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUk9SRU5EUVhSeFowRjNTVUpCWjBsRlJWSm5aMEpFUVV0Q1oyZHhhR3RxVDFCUlVVUkJla0Z5VFZKRmQwUjNXVVJXVVZGRVJYZG9lbUZYWkhwa1J6bDVXbFJGVjAxQ1VVZEJNVlZGUTJoTlRtTXliRzVqTTFKMlkyMVZkV0pYT1dwaGVrRmxSbmN3ZVUxNlFYbE5SRVYzVFVSQmQwMUVRbUZHZHpCNVRYcEJlVTFFUlhkTlJFVjNUVVJDWVUxQlFYZFhWRUZVUW1kamNXaHJhazlRVVVsQ1FtZG5jV2hyYWs5UVVVMUNRbmRPUTBGQlVqTnljMWhzUzB0SFQySjJLMW93T0hOQmFuTXdkSGw0YkhwVFZFdHJZVVpTYVhrM2RtcGFZVVpOVWxGUFdqYzJVVXQzUjBabFpreHJaVWQzZFdGbVUwdDVUR0o2YUdwSloyaFBjbFY2YWxNclYwWkJUVWh2TkVsRFJsUkRRMEZvUlhkRVoxbEVWbEl3VUVGUlNDOUNRVkZFUVdkbFFVMUNUVWRCTVZWa1NsRlJUVTFCYjBkRFEzTkhRVkZWUmtKM1RVUk5TVWRzUW1kT1ZraFNSVUpCWmpoRloxcHZkMmRhWlVkbldsSnZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMll6SnNibU16VW5aamJWVjBXVEk1ZFZwdE9YbGlWMFoxV1RKVmRscFlhREJqYlZaMFdsZDROVXhYVW1oaWJXUnNZMjA1TVdONU1YZGtWMHB6WVZkTmRHSXliR3RaZVRGcFdsZEdhbUl5TkhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFphV0dnd1kyMVdkRnBYZURWTVYxSm9ZbTFrYkdOdE9URmplVEYyWVZkU2FreFhTbXhaVjA1MlltazFOV0pYZUVGamJWWnRZM2s1YjFwWFJtdGplVGwwV1Zkc2RVMUNNRWRCTVZWa1JHZFJWMEpDVkc1M1NHVkNiVkJqT1VseVdtMUNaVzFQWVVoNU5HeDNkamRMUkVGbVFtZE9Wa2hUVFVWSFJFRlhaMEpSTDBaR2VHczNSbFY0ZEM5dlJUaHNSRnBGUmpCek4ydGhjM1ZFUVRkQ1oyOXlRbWRGUlVGWlR5OU5RVVZKUWtNd1RVc3lhREJrU0VKNlQyazRkbVJIT1hKYVZ6UjFXVmRPTUdGWE9YVmplVFZ1WVZoU2IyUlhTakZqTWxaNVdUSTVkV1JIVm5Wa1F6VnFZakl3ZDA5UldVdExkMWxDUWtGSFJIWjZRVUpCVVZGeVlVaFNNR05JVFRaTWVUa3dZakowYkdKcE5XaFpNMUp3WWpJMWVreHRaSEJrUjJneFdXNVdlbHBZU21waU1qVXdXbGMxTUV4dFRuWmlWRU5DYVZGWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpkQ1NHdEJaSGRDTVVGUVkyMTVjVTVDUmpkeFVscFZVM1pPZWxSd1NVMHhUVk5UTnpOWVQxbHBhamwzUlRkMk9IWlFlV1prUVVGQlFtaG5jRVkzUVVGQlFVRlJSRUZGV1hkU1FVbG5UMUpHTlRCb1dWSkpSbXd5U0dkak1IWlBTbVp3VFdwVk9HZFpOMEowUjJaNk1HOWFaVkJzZUVjMFowTkpSR3cyVTFoUlpURXJPVFpGVGxkeFRUWXJOWGQ0WWtsVlowaE1PRlF6SzI1dk5ETmplWFZGUVdVclRrMUJiMGREUTNGSFUwMDBPVUpCVFVSQk1HZEJUVVZWUTBsRGNVd3JjVXh3VW1KVVVGaHVObEpwTDFaSlpEQmxha3RDVGtVdlFqRndiVGt4ZFU5NVpTOURUMjFXUVdsRlFXNXJVbXN4Ymk5bVVIazRZMGR6Tml0cEszRTNZazFOYkN0WU1rTnROVEZ2WkVseVRVazVVR0pxVFhjOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlZRMGxGTVVaV2VUSjZOMHBwUkZSQmJFOURhbWRYYW5CNU1GQnpZeTg0ZDB0b1RIbFZXVVJWT0N0UWIzSk9RV2xGUVc5alVUUndjemhuUWtkRU5HUXhhWGgzTTB4R1ZqZ3phRmRPZFdKRVZYWlJkbHBDUmtsb1F6VXpjWGM5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImM4ZWY4N2EzZmI4MTFkYTQ1YTQxODg2NTU5NmFiOTE2MDMyNDU4Y2QxMzU5MmM3ZmYxYTUzZThmZDE1N2M1ODAifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIwZWJiZGJjMjFkMTgyMDA3Yjc4YjU3NzBkZWEyNDlmMTEwOTQ2YjdkZWQ4NTdhNGVjMDBjY2I2OTJjMWUyNWFmIn19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [ + { + "signedTimestamp": "MIICGzADAgEAMIICEgYJKoZIhvcNAQcCoIICAzCCAf8CAQMxDzANBglghkgBZQMEAgEFADB0BgsqhkiG9w0BCRABBKBlBGMwYQIBAQYJKwYBBAGDvzACMC8wCwYJYIZIAWUDBAIBBCCbcvRBlDfRbVwaBhmUQoOTcKS7XrFs5y6Tp/MDZ5tQNgIE3q2+7xgPMjAyMzAyMDEwMDAwMDBaMAMCAQECBEmWAtKgADGCAW8wggFrAgEBMCswJjEMMAoGA1UEAxMDdHNhMRYwFAYDVQQKEw1zaWdzdG9yZS5tb2NrAgECMA0GCWCGSAFlAwQCAQUAoIHVMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjMwMjAxMDAwMDAwWjAvBgkqhkiG9w0BCQQxIgQgVzciL1SNrNN9mJ6Z3G1t4A7IPAjoVkXeFa91xuqRsAkwaAYLKoZIhvcNAQkQAi8xWTBXMFUwUwQgAA4hfcjNjQJC6U7kl1KxL3VHVkxZbFxM+eqk9sPXbJAwLzAqpCgwJjEMMAoGA1UEAxMDdHNhMRYwFAYDVQQKEw1zaWdzdG9yZS5tb2NrAgECMAoGCCqGSM49BAMCBEYwRAIgAqzpGF8YZrdyBJOGy2S/9qi7buQD6o51TvOGMKxAiagCIB8rI1sL9fFiY4LON6efkTvVxaFfHO5dJ1jKH+wO4jg+" + } + ] + } + }, + "dsseEnvelope": { + "payload": "ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAiZC50eHQiLAogICAgICAiZGlnZXN0IjogewogICAgICAgICJzaGEyNTYiOiAiMzMwYTA0MzIyMGZhMTNlMDFkNjhhN2RiMzljODllMTJiMGM0YzNiNmEwMzQ2ZmU2MjRiMDkwM2YxMzAzYjViMiIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwKICAicHJlZGljYXRlIjogewogICAgImJ1aWxkRGVmaW5pdGlvbiI6IHsKICAgICAgImJ1aWxkVHlwZSI6ICJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwKICAgICAgImV4dGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAid29ya2Zsb3ciOiB7CiAgICAgICAgICAicmVmIjogInJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAicmVwb3NpdG9yeSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtY29uZm9ybWFuY2UiLAogICAgICAgICAgInBhdGgiOiAiLmdpdGh1Yi93b3JrZmxvd3MvY29uZm9ybWFuY2UueW1sIgogICAgICAgIH0KICAgICAgfSwKICAgICAgImludGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAiZ2l0aHViIjogewogICAgICAgICAgImV2ZW50X25hbWUiOiAicHVzaCIsCiAgICAgICAgICAicmVwb3NpdG9yeV9pZCI6ICI1NDE4OTMxODYiLAogICAgICAgICAgInJlcG9zaXRvcnlfb3duZXJfaWQiOiAiNzEwOTYzNTMiCiAgICAgICAgfQogICAgICB9LAogICAgICAicmVzb2x2ZWREZXBlbmRlbmNpZXMiOiBbCiAgICAgICAgewogICAgICAgICAgInVyaSI6ICJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWNvbmZvcm1hbmNlQHJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAiZGlnZXN0IjogewogICAgICAgICAgICAiZ2l0Q29tbWl0IjogImM1ZjVmYjI1NTE2M2VkODVkZGIzMmQ1NGRjZGQ3MTBhYzNmMDQ2MDMiCiAgICAgICAgICB9CiAgICAgICAgfQogICAgICBdCiAgICB9LAogICAgInJ1bkRldGFpbHMiOiB7CiAgICAgICJidWlsZGVyIjogewogICAgICAgICJpZCI6ICJodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9ydW5uZXIvZ2l0aHViLWhvc3RlZCIKICAgICAgfSwKICAgICAgIm1ldGFkYXRhIjogewogICAgICAgICJpbnZvY2F0aW9uSWQiOiAiaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWNvbmZvcm1hbmNlL2FjdGlvbnMvcnVucy83MTczNjIwOTEwL2F0dGVtcHRzLzEiCiAgICAgIH0KICAgIH0KICB9Cn0K", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEUCIE1FVy2z7JiDTAlOCjgWjpy0Psc/8wKhLyUYDU8+PorNAiEAocQ4ps8gBGD4d1ixw3LFV83hWNubDUvQvZBFIhC53qw=", + "keyid": "" + } + ] + } +} +``` + +where the embedded attestation in the dsse envelope is +```json +{ + "_type": "https://in-toto.io/Statement/v1", + "subject": [ + { + "name": "d.txt", + "digest": { + "sha256": "330a043220fa13e01d68a7db39c89e12b0c4c3b6a0346fe624b0903f1303b5b2" + } + } + ], + "predicateType": "https://slsa.dev/provenance/v1", + "predicate": { + "buildDefinition": { + "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1", + "externalParameters": { + "workflow": { + "ref": "refs/heads/main", + "repository": "https://github.com/sigstore/sigstore-conformance", + "path": ".github/workflows/conformance.yml" + } + }, + "internalParameters": { + "github": { + "event_name": "push", + "repository_id": "541893186", + "repository_owner_id": "71096353" + } + }, + "resolvedDependencies": [ + { + "uri": "git+https://github.com/sigstore/sigstore-conformance@refs/heads/main", + "digest": { + "gitCommit": "c5f5fb255163ed85ddb32d54dcdd710ac3f04603" + } + } + ] + }, + "runDetails": { + "builder": { + "id": "https://github.com/actions/runner/github-hosted" + }, + "metadata": { + "invocationId": "https://github.com/sigstore/sigstore-conformance/actions/runs/7173620910/attempts/1" + } + } + } +} +```