From 658e3853c4cf9a6aba5bacac9409d65bf2f8644b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Thu, 26 Aug 2021 23:40:50 +0300 Subject: [PATCH] upgrade in-toto-golang to adapt SLSA Provenance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- go.mod | 2 +- go.sum | 3 ++- pkg/cosign/attestation/attestation.go | 6 +++--- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 4eaa13152a0..556fdbb44bc 100644 --- a/go.mod +++ b/go.mod @@ -82,7 +82,7 @@ require ( github.com/hashicorp/vault/api v1.1.1 // indirect github.com/hashicorp/vault/sdk v0.2.1 // indirect github.com/imdario/mergo v0.3.12 // indirect - github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9 + github.com/in-toto/in-toto-golang v0.2.1-0.20210806133539-f50646681592 github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect diff --git a/go.sum b/go.sum index cf500e663f0..359fb1e8fa3 100644 --- a/go.sum +++ b/go.sum @@ -954,8 +954,9 @@ github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= -github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9 h1:j7klXz5kh0ydPmHkBtJ/Al27G1/au4sH7OkGhkgRJWg= github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9/go.mod h1:Skbg04kmfB7IAnEIsspKPg/ny1eiFt/TgPr9SDCHusA= +github.com/in-toto/in-toto-golang v0.2.1-0.20210806133539-f50646681592 h1:g9IxkZZUCtXHtU3fBXY+1WhEL6Hmcaelk4o4VGYSmsA= +github.com/in-toto/in-toto-golang v0.2.1-0.20210806133539-f50646681592/go.mod h1:Skbg04kmfB7IAnEIsspKPg/ny1eiFt/TgPr9SDCHusA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= diff --git a/pkg/cosign/attestation/attestation.go b/pkg/cosign/attestation/attestation.go index 1cbd83269e5..a0ec067987b 100644 --- a/pkg/cosign/attestation/attestation.go +++ b/pkg/cosign/attestation/attestation.go @@ -71,7 +71,7 @@ func GenerateStatement(opts GenerateOpts) (interface{}, error) { stamp := now.UTC().Format(time.RFC3339) return generateCustomStatement(rawPayload, opts.Digest, opts.Repo, stamp) case "provenance": - return generateProvenanceStatement(rawPayload, opts.Digest, opts.Repo) + return generateSLSAProvenanceStatement(rawPayload, opts.Digest, opts.Repo) case "spdx": return generateSPDXStatement(rawPayload, opts.Digest, opts.Repo) case "link": @@ -107,7 +107,7 @@ func generateCustomStatement(rawPayload []byte, digest, repo, timestamp string) }, nil } -func generateProvenanceStatement(rawPayload []byte, digest string, repo string) (interface{}, error) { +func generateSLSAProvenanceStatement(rawPayload []byte, digest string, repo string) (interface{}, error) { var predicate in_toto.ProvenancePredicate err := checkRequiredJSONFields(rawPayload, reflect.TypeOf(predicate)) if err != nil { @@ -118,7 +118,7 @@ func generateProvenanceStatement(rawPayload []byte, digest string, repo string) return "", errors.Wrap(err, "unmarshal Provenance predicate") } return in_toto.ProvenanceStatement{ - StatementHeader: generateStatementHeader(digest, repo, in_toto.PredicateProvenanceV01), + StatementHeader: generateStatementHeader(digest, repo, in_toto.PredicateSLSAProvenanceV01), Predicate: predicate, }, nil }