Migrate to in-toto v1

Signed-off-by: Christian Dupuis <cd@atomist.com>

client/client_test.go

@@ -38,7 +38,7 @@ import (
 	"github.com/containerd/containerd/snapshots"
 	"github.com/containerd/continuity/fs/fstest"
 	"github.com/distribution/reference"
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	intotov1 "github.com/in-toto/attestation/go/v1"
 	controlapi "github.com/moby/buildkit/api/services/control"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
@@ -8170,7 +8170,7 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 			require.Equal(t, len(att.Layers), len(att.Img.RootFS.DiffIDs))
 			require.Equal(t, len(att.Img.History), 0)
 
-			var attest intoto.Statement
+			var attest intotov1.Statement
 			require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 
 			purls := map[string]string{}
@@ -8189,7 +8189,7 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 			require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
 			require.Equal(t, "https://example.com/attestations/v1.0", attest.PredicateType)
 			require.Equal(t, map[string]interface{}{"success": true}, attest.Predicate)
-			subjects := []intoto.Subject{
+			subjects := []intotov1.Subject{
 				{
 					Name: purls[targets[0]],
 					Digest: map[string]string{
@@ -8205,13 +8205,13 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 			}
 			require.Equal(t, subjects, attest.Subject)
 
-			var attest2 intoto.Statement
+			var attest2 intotov1.Statement
 			require.NoError(t, json.Unmarshal(att.LayersRaw[1], &attest2))
 
 			require.Equal(t, "https://in-toto.io/Statement/v0.1", attest2.Type)
 			require.Equal(t, "https://example.com/attestations2/v1.0", attest2.PredicateType)
 			require.Nil(t, attest2.Predicate)
-			subjects = []intoto.Subject{{
+			subjects = []intotov1.Subject{{
 				Name: "/attestation.json",
 				Digest: map[string]string{
 					"sha256": successDigest.Encoded(),
@@ -8252,7 +8252,7 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 		require.NoError(t, err)
 
 		for _, p := range ps {
-			var attest intoto.Statement
+			var attest intotov1.Statement
 			dt, err := os.ReadFile(path.Join(dir, strings.ReplaceAll(platforms.Format(p), "/", "_"), "test.attestation.json"))
 			require.NoError(t, err)
 			require.NoError(t, json.Unmarshal(dt, &attest))
@@ -8261,20 +8261,20 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 			require.Equal(t, "https://example.com/attestations/v1.0", attest.PredicateType)
 			require.Equal(t, map[string]interface{}{"success": true}, attest.Predicate)
 
-			require.Equal(t, []intoto.Subject{{
+			require.Equal(t, []intotov1.Subject{{
 				Name:   "greeting",
 				Digest: result.ToDigestMap(digest.Canonical.FromString("hello " + platforms.Format(p) + "!")),
 			}}, attest.Subject)
 
-			var attest2 intoto.Statement
+			var attest2 intotov1.Statement
 			dt, err = os.ReadFile(path.Join(dir, strings.ReplaceAll(platforms.Format(p), "/", "_"), "test.attestation2.json"))
 			require.NoError(t, err)
 			require.NoError(t, json.Unmarshal(dt, &attest2))
 
 			require.Equal(t, "https://in-toto.io/Statement/v0.1", attest2.Type)
 			require.Equal(t, "https://example.com/attestations2/v1.0", attest2.PredicateType)
 			require.Nil(t, attest2.Predicate)
-			subjects := []intoto.Subject{{
+			subjects := []intotov1.Subject{{
 				Name: "/attestation.json",
 				Digest: map[string]string{
 					"sha256": successDigest.Encoded(),
@@ -8310,7 +8310,7 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 		require.NoError(t, err)
 
 		for _, p := range ps {
-			var attest intoto.Statement
+			var attest intotov1.Statement
 			item := m[path.Join(strings.ReplaceAll(platforms.Format(p), "/", "_"), "test.attestation.json")]
 			require.NotNil(t, item)
 			require.NoError(t, json.Unmarshal(item.Data, &attest))
@@ -8319,20 +8319,20 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 			require.Equal(t, "https://example.com/attestations/v1.0", attest.PredicateType)
 			require.Equal(t, map[string]interface{}{"success": true}, attest.Predicate)
 
-			require.Equal(t, []intoto.Subject{{
+			require.Equal(t, []intotov1.Subject{{
 				Name:   "greeting",
 				Digest: result.ToDigestMap(digest.Canonical.FromString("hello " + platforms.Format(p) + "!")),
 			}}, attest.Subject)
 
-			var attest2 intoto.Statement
+			var attest2 intotov1.Statement
 			item = m[path.Join(strings.ReplaceAll(platforms.Format(p), "/", "_"), "test.attestation2.json")]
 			require.NotNil(t, item)
 			require.NoError(t, json.Unmarshal(item.Data, &attest2))
 
 			require.Equal(t, "https://in-toto.io/Statement/v0.1", attest2.Type)
 			require.Equal(t, "https://example.com/attestations2/v1.0", attest2.PredicateType)
 			require.Nil(t, attest2.Predicate)
-			subjects := []intoto.Subject{{
+			subjects := []intotov1.Subject{{
 				Name: "/attestation.json",
 				Digest: map[string]string{
 					"sha256": successDigest.Encoded(),
@@ -8463,15 +8463,15 @@ func testAttestationDefaultSubject(t *testing.T, sb integration.Sandbox) {
 	atts := imgs.Filter("unknown/unknown")
 	require.Equal(t, len(ps), len(atts.Images))
 	for i, att := range atts.Images {
-		var attest intoto.Statement
+		var attest intotov1.Statement
 		require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 
 		require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
 		require.Equal(t, "https://example.com/attestations/v1.0", attest.PredicateType)
 		require.Equal(t, map[string]interface{}{"success": true}, attest.Predicate)
 
 		name := fmt.Sprintf("pkg:docker/%s/buildkit/testattestationsemptysubject@latest?platform=%s", url.QueryEscape(registry), url.QueryEscape(platforms.Format(ps[i])))
-		subjects := []intoto.Subject{{
+		subjects := []intotov1.Subject{{
 			Name: name,
 			Digest: map[string]string{
 				"sha256": bases[i].Desc.Digest.Encoded(),
@@ -8530,9 +8530,9 @@ func testAttestationBundle(t *testing.T, sb integration.Sandbox) {
 			}
 			res.AddRef(pk, ref)
 
-			stmt := intoto.Statement{
-				StatementHeader: intoto.StatementHeader{
-					Type:          intoto.StatementInTotoV01,
+			stmt := intotov1.Statement{
+				StatementHeader: intotov1.StatementHeader{
+					Type:          intotov1.StatementInTotoV01,
 					PredicateType: "https://example.com/attestations/v1.0",
 				},
 				Predicate: map[string]interface{}{
@@ -8616,13 +8616,13 @@ func testAttestationBundle(t *testing.T, sb integration.Sandbox) {
 	require.Equal(t, len(ps)*1, len(atts.Images))
 	for i, att := range atts.Images {
 		require.Equal(t, 1, len(att.LayersRaw))
-		var attest intoto.Statement
+		var attest intotov1.Statement
 		require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 
 		require.Equal(t, "https://example.com/attestations/v1.0", attest.PredicateType)
 		require.Equal(t, map[string]interface{}{"foo": "1"}, attest.Predicate)
 		name := fmt.Sprintf("pkg:docker/%s/buildkit/testattestationsbundle@latest?platform=%s", url.QueryEscape(registry), url.QueryEscape(platforms.Format(ps[i])))
-		subjects := []intoto.Subject{{
+		subjects := []intotov1.Subject{{
 			Name: name,
 			Digest: map[string]string{
 				"sha256": bases[i].Desc.Digest.Encoded(),
@@ -8779,7 +8779,7 @@ EOF
 					Ref:  refAttest,
 					Path: "/result.spdx",
 					InToto: result.InTotoAttestation{
-						PredicateType: intoto.PredicateSPDX,
+						PredicateType: intotov1.PredicateSPDX,
 					},
 				})
 			}
@@ -8839,10 +8839,10 @@ EOF
 	require.Equal(t, 2, len(imgs.Images))
 
 	att := imgs.Find("unknown/unknown")
-	attest := intoto.Statement{}
+	attest := intotov1.Statement{}
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 	require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
-	require.Equal(t, intoto.PredicateSPDX, attest.PredicateType)
+	require.Equal(t, intotov1.PredicateSPDX, attest.PredicateType)
 	require.Subset(t, attest.Predicate, map[string]interface{}{"name": "frontend"})
 
 	// test the specified fallback scanner
@@ -8871,10 +8871,10 @@ EOF
 	require.Equal(t, 2, len(imgs.Images))
 
 	att = imgs.Find("unknown/unknown")
-	attest = intoto.Statement{}
+	attest = intotov1.Statement{}
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 	require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
-	require.Equal(t, intoto.PredicateSPDX, attest.PredicateType)
+	require.Equal(t, intotov1.PredicateSPDX, attest.PredicateType)
 	require.Subset(t, attest.Predicate, map[string]interface{}{"name": "fallback"})
 
 	// test the builtin frontend scanner and the specified fallback scanner together
@@ -8903,10 +8903,10 @@ EOF
 	require.Equal(t, 2, len(imgs.Images))
 
 	att = imgs.Find("unknown/unknown")
-	attest = intoto.Statement{}
+	attest = intotov1.Statement{}
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 	require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
-	require.Equal(t, intoto.PredicateSPDX, attest.PredicateType)
+	require.Equal(t, intotov1.PredicateSPDX, attest.PredicateType)
 	require.Subset(t, attest.Predicate, map[string]interface{}{"name": "frontend"})
 }
 
@@ -9069,10 +9069,10 @@ EOF
 
 	att := imgs.Find("unknown/unknown")
 	require.NotNil(t, att)
-	attest := intoto.Statement{}
+	attest := intotov1.Statement{}
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 	require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
-	require.Equal(t, intoto.PredicateSPDX, attest.PredicateType)
+	require.Equal(t, intotov1.PredicateSPDX, attest.PredicateType)
 	require.Subset(t, attest.Predicate, map[string]interface{}{"name": "fallback"})
 }
 
@@ -9175,7 +9175,7 @@ func testSBOMSupplements(t *testing.T, sb integration.Sandbox) {
 			Ref:  refAttest,
 			Path: "/result.spdx",
 			InToto: result.InTotoAttestation{
-				PredicateType: intoto.PredicateSPDX,
+				PredicateType: intotov1.PredicateSPDX,
 			},
 			Metadata: map[string][]byte{
 				result.AttestationSBOMCore: []byte("result"),
@@ -9212,12 +9212,12 @@ func testSBOMSupplements(t *testing.T, sb integration.Sandbox) {
 
 	att := imgs.Find("unknown/unknown")
 	attest := struct {
-		intoto.StatementHeader
+		intotov1.StatementHeader
 		Predicate spdx.Document
 	}{}
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 	require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
-	require.Equal(t, intoto.PredicateSPDX, attest.PredicateType)
+	require.Equal(t, intotov1.PredicateSPDX, attest.PredicateType)
 
 	require.Equal(t, "DOCUMENT", string(attest.Predicate.SPDXIdentifier))
 	require.Len(t, attest.Predicate.Files, 2)

docs/attestations/attestation-storage.md

@@ -60,7 +60,7 @@ The contents of each layer will be a blob dependent on its `mediaType`.
 
   ```json
   {
-    "_type": "https://in-toto.io/Statement/v0.1",
+    "_type": "https://in-toto.io/Statement/v1",
     "subject": [
       {
         "name": "<NAME>",
@@ -198,7 +198,7 @@ Attestation body containing the SBOM data listing the packages used during the b
 
 ```json
 {
-  "_type": "https://in-toto.io/Statement/v0.1",
+  "_type": "https://in-toto.io/Statement/v1",
   "predicateType": "https://spdx.dev/Document",
   "subject": [
     {

docs/attestations/sbom.md

@@ -109,7 +109,7 @@ the following SBOM:
 
 ```json
 {
-  "_type": "https://in-toto.io/Statement/v0.1",
+  "_type": "https://in-toto.io/Statement/v1",
   "predicateType": "https://spdx.dev/Document",
   "subject": [
     {

docs/attestations/slsa-definitions.md

@@ -400,7 +400,7 @@ in a provenance attestation similar to the following, for a `mode=min` build:
 
 ```json
 {
-  "_type": "https://in-toto.io/Statement/v0.1",
+  "_type": "https://in-toto.io/Statement/v1",
   "predicateType": "https://slsa.dev/provenance/v0.2",
   "subject": [
     {
@@ -463,7 +463,7 @@ For a similar build, but with `mode=max`:
 
 ```json
 {
-  "_type": "https://in-toto.io/Statement/v0.1",
+  "_type": "https://in-toto.io/Statement/v1",
   "predicateType": "https://slsa.dev/provenance/v0.2",
   "subject": [
     {

exporter/attestation/make.go

@@ -3,10 +3,11 @@ package attestation
 import (
 	"context"
 	"encoding/json"
+	"google.golang.org/protobuf/types/known/structpb"
 	"os"
 
 	"github.com/containerd/continuity/fs"
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	intotov1 "github.com/in-toto/attestation/go/v1"
 	"github.com/moby/buildkit/exporter"
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/session"
@@ -56,9 +57,9 @@ func ReadAll(ctx context.Context, s session.Group, att exporter.Attestation) ([]
 
 // MakeInTotoStatements iterates over all provided result attestations and
 // generates intoto attestation statements.
-func MakeInTotoStatements(ctx context.Context, s session.Group, attestations []exporter.Attestation, defaultSubjects []intoto.Subject) ([]intoto.Statement, error) {
+func MakeInTotoStatements(ctx context.Context, s session.Group, attestations []exporter.Attestation, defaultSubjects []*intotov1.ResourceDescriptor) ([]*intotov1.Statement, error) {
 	eg, ctx := errgroup.WithContext(ctx)
-	statements := make([]intoto.Statement, len(attestations))
+	statements := make([]*intotov1.Statement, len(attestations))
 
 	for i, att := range attestations {
 		i, att := i, att
@@ -74,7 +75,7 @@ func MakeInTotoStatements(ctx context.Context, s session.Group, attestations []e
 				if err != nil {
 					return err
 				}
-				statements[i] = *stmt
+				statements[i] = stmt
 			case gatewaypb.AttestationKindBundle:
 				return errors.New("bundle attestation kind must be un-bundled first")
 			}
@@ -87,13 +88,13 @@ func MakeInTotoStatements(ctx context.Context, s session.Group, attestations []e
 	return statements, nil
 }
 
-func makeInTotoStatement(ctx context.Context, content []byte, attestation exporter.Attestation, defaultSubjects []intoto.Subject) (*intoto.Statement, error) {
+func makeInTotoStatement(ctx context.Context, content []byte, attestation exporter.Attestation, defaultSubjects []*intotov1.ResourceDescriptor) (*intotov1.Statement, error) {
 	if len(attestation.InToto.Subjects) == 0 {
 		attestation.InToto.Subjects = []result.InTotoSubject{{
 			Kind: gatewaypb.InTotoSubjectKindSelf,
 		}}
 	}
-	subjects := []intoto.Subject{}
+	subjects := []*intotov1.ResourceDescriptor{}
 	for _, subject := range attestation.InToto.Subjects {
 		subjectName := "_"
 		if subject.Name != "" {
@@ -110,14 +111,14 @@ func makeInTotoStatement(ctx context.Context, content []byte, attestation export
 				}
 
 				for _, name := range subjectNames {
-					subjects = append(subjects, intoto.Subject{
+					subjects = append(subjects, &intotov1.ResourceDescriptor{
 						Name:   name,
 						Digest: defaultSubject.Digest,
 					})
 				}
 			}
 		case gatewaypb.InTotoSubjectKindRaw:
-			subjects = append(subjects, intoto.Subject{
+			subjects = append(subjects, &intotov1.ResourceDescriptor{
 				Name:   subjectName,
 				Digest: result.ToDigestMap(subject.Digest...),
 			})
@@ -126,13 +127,21 @@ func makeInTotoStatement(ctx context.Context, content []byte, attestation export
 		}
 	}
 
-	stmt := intoto.Statement{
-		StatementHeader: intoto.StatementHeader{
-			Type:          intoto.StatementInTotoV01,
-			PredicateType: attestation.InToto.PredicateType,
-			Subject:       subjects,
-		},
-		Predicate: json.RawMessage(content),
+	var pred map[string]interface{}
+	err := json.Unmarshal(content, &pred)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal attestation predicate")
+	}
+	predicate, err := structpb.NewStruct(pred)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to convert attestation predicate to struct")
+	}
+
+	stmt := intotov1.Statement{
+		Type:          intotov1.StatementTypeUri,
+		Subject:       subjects,
+		PredicateType: attestation.InToto.PredicateType,
+		Predicate:     predicate,
 	}
 	return &stmt, nil
 }

exporter/attestation/unbundle.go

@@ -8,7 +8,7 @@ import (
 	"strings"
 
 	"github.com/containerd/continuity/fs"
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	intotov1 "github.com/in-toto/attestation/go/v1"
 	"github.com/moby/buildkit/exporter"
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/session"
@@ -137,7 +137,7 @@ func unbundle(ctx context.Context, root string, bundle exporter.Attestation) ([]
 			return nil, err
 		}
 		dec := json.NewDecoder(f)
-		var stmt intoto.Statement
+		var stmt intotov1.Statement
 		if err := dec.Decode(&stmt); err != nil {
 			return nil, errors.Wrap(err, "cannot decode in-toto statement")
 		}