example DSSE payload:
eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJ1cmkiOiJwa2c6Z2l0aHViL3BocC9waWVAMS4zLjAiLCJkaWdlc3QiOnsic2hhMSI6IjdlYmMxMTZhNThkOTllOGNiMGEyNGRhODQxYzdjYWEyYjdkMWUwOWYifX0seyJuYW1lIjoicGllLnBoYXIiLCJkaWdlc3QiOnsic2hhMjU2IjoiMGVhYWVkNWQ0OTUzNGQ1ZWI1M2NhZTYzNzg0MzAzNWVkM2UwYjk5NTdlYmFkODUyMWYxMzcxN2IwNjQ4MGJmYyJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2luLXRvdG8uaW8vYXR0ZXN0YXRpb24vcmVsZWFzZS92MC4xIiwicHJlZGljYXRlIjp7ImRhdGFiYXNlSWQiOiIyNjUzNzM0MTkiLCJvd25lcklkIjoiMjUxNTgiLCJwYWNrYWdlSWQiOiI3NjUwNDk2ODciLCJwdXJsIjoicGtnOmdpdGh1Yi9waHAvcGllQDEuMy4wIiwicmVsZWFzZUlkIjoiNzY1MDQ5Njg3IiwicmVwb3NpdG9yeSI6InBocC9waWUiLCJyZXBvc2l0b3J5SWQiOiI3NjUwNDk2ODciLCJ0YWciOiIxLjMuMCJ9fQ==
decodes to
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"uri": "pkg:github/php/[email protected]",
"digest": {
"sha1": "7ebc116a58d99e8cb0a24da841c7caa2b7d1e09f"
}
},
{
"name": "pie.phar",
"digest": {
"sha256": "0eaaed5d49534d5eb53cae637843035ed3e0b9957ebad8521f13717b06480bfc"
}
}
],
"predicateType": "https://in-toto.io/attestation/release/v0.1",
"predicate": {
"databaseId": "265373419",
"ownerId": "25158",
"packageId": "765049687",
"purl": "pkg:github/php/[email protected]",
"releaseId": "765049687",
"repository": "php/pie",
"repositoryId": "765049687",
"tag": "1.3.0"
}
}Note the predicateType is different to a build provenance attestation (example:
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"name": "pie.phar",
"digest": {
"sha256": "0eaaed5d49534d5eb53cae637843035ed3e0b9957ebad8521f13717b06480bfc"
}
}
],
"predicateType": "https://slsa.dev/provenance/v1",
"predicate": {
"buildDefinition": {
"buildType": "https://actions.github.io/buildtypes/workflow/v1",
"externalParameters": {
"workflow": {
"ref": "refs/tags/1.3.0",
"repository": "https://github.com/php/pie",
"path": ".github/workflows/continuous-integration.yml"
}
},
"internalParameters": {
"github": {
"event_name": "push",
"repository_id": "765049687",
"repository_owner_id": "25158",
"runner_environment": "github-hosted"
}
},
"resolvedDependencies": [
{
"uri": "git+https://github.com/php/pie@refs/tags/1.3.0",
"digest": {
"gitCommit": "3a2824243fce9051fb6b99430f7e14053e827495"
}
}
]
},
"runDetails": {
"builder": {
"id": "https://github.com/php/pie/.github/workflows/build-phar.yml@refs/tags/1.3.0"
},
"metadata": {
"invocationId": "https://github.com/php/pie/actions/runs/19697569681/attempts/1"
}
}
}
}Note, that as of #14 the \ThePhpFoundation\Attestation\Verification\VerifyAttestationWithOpenSsl::downloadAttestations method is currently hard-coded to filter to ?predicate_type=provenance (ref API docs: https://docs.github.com/en/rest/users/attestations?apiVersion=2022-11-28#list-attestations)
example DSSE payload:
decodes to
{ "_type": "https://in-toto.io/Statement/v1", "subject": [ { "uri": "pkg:github/php/[email protected]", "digest": { "sha1": "7ebc116a58d99e8cb0a24da841c7caa2b7d1e09f" } }, { "name": "pie.phar", "digest": { "sha256": "0eaaed5d49534d5eb53cae637843035ed3e0b9957ebad8521f13717b06480bfc" } } ], "predicateType": "https://in-toto.io/attestation/release/v0.1", "predicate": { "databaseId": "265373419", "ownerId": "25158", "packageId": "765049687", "purl": "pkg:github/php/[email protected]", "releaseId": "765049687", "repository": "php/pie", "repositoryId": "765049687", "tag": "1.3.0" } }Note the
predicateTypeis different to a build provenance attestation (example:{ "_type": "https://in-toto.io/Statement/v1", "subject": [ { "name": "pie.phar", "digest": { "sha256": "0eaaed5d49534d5eb53cae637843035ed3e0b9957ebad8521f13717b06480bfc" } } ], "predicateType": "https://slsa.dev/provenance/v1", "predicate": { "buildDefinition": { "buildType": "https://actions.github.io/buildtypes/workflow/v1", "externalParameters": { "workflow": { "ref": "refs/tags/1.3.0", "repository": "https://github.com/php/pie", "path": ".github/workflows/continuous-integration.yml" } }, "internalParameters": { "github": { "event_name": "push", "repository_id": "765049687", "repository_owner_id": "25158", "runner_environment": "github-hosted" } }, "resolvedDependencies": [ { "uri": "git+https://github.com/php/pie@refs/tags/1.3.0", "digest": { "gitCommit": "3a2824243fce9051fb6b99430f7e14053e827495" } } ] }, "runDetails": { "builder": { "id": "https://github.com/php/pie/.github/workflows/build-phar.yml@refs/tags/1.3.0" }, "metadata": { "invocationId": "https://github.com/php/pie/actions/runs/19697569681/attempts/1" } } } }Note, that as of #14 the
\ThePhpFoundation\Attestation\Verification\VerifyAttestationWithOpenSsl::downloadAttestationsmethod is currently hard-coded to filter to?predicate_type=provenance(ref API docs: https://docs.github.com/en/rest/users/attestations?apiVersion=2022-11-28#list-attestations)