in-toto-golang icon indicating copy to clipboard operation
in-toto-golang copied to clipboard

Published 20 hours ago verified publisher icon in-toto

Add APIs for Statement v1 and SLSA Provenance v1 protos

Open marcelamelara opened this issue 1 year ago • 4 comments

This PR adds APIs for generating ITE-6 v1 Statements using the protobuf-based language bindings provided by the in-toto Attestation Framework. This PR also adds protobuf-based APIs that replace the now-deprecated SLSA Provenance v1 structs.

Fixes #260, fixes #265.

marcelamelara avatar Sep 20 '23 01:09 marcelamelara

I like the ideas here, is the plan to take this all the way through signing the statement using dsse as well?

adityasaky avatar Sep 27 '23 20:09 adityasaky

is the plan to take this all the way through signing the statement using dsse as well?

@adityasaky Ideally yes. The idea would be to have these sort of generators for each supported predicate type, and switch on the predicate type in a place like runlib before we sign the Statement and generate the DSSE. From the CLI perspective, we may introduce a predicate type flag. Other implementers, like the SLSA provenance generator for GHA might use these APIs directly.

What I don't have a solution for yet is how the the predicate contents themselves will be generated/passed into in-toto, especially in the case of informational ITE-9 predicates.

marcelamelara avatar Sep 27 '23 21:09 marcelamelara

In the interest of keeping PRs small enough and digestible, I'm going to scope this PR at only introducing the new v1 APIs, but not integrating them into the greater in-toto-golang CLI tool. This is meant to work with the Attestor interface introduced in #288 as well, so converting the new Provenance APIs to implement that interface, and adding support for the Link Attestor in runlib will be part of a future PR.

marcelamelara avatar Dec 19 '23 23:12 marcelamelara

Some nits. Should we discuss this in the context of #288 as well? cc @Forrin

There is for sure some overlap. These can probably be merged fairly easily if I make a few adjustments in my PR. I can remove calling the Attestor and leave that for a future change. Whether it's done in the run function or somewhere else I don't have a strong opinion. However, I do think that the run function is getting a bit bloated and doing too much. Possibly passing it a list of attestors would make the most sense.

But, the run function is technically for a Link style metadata... which I view as an attestor. Open to further conversations.

In the short term, removing how the Attestor code is called and leaving only the interface and LinkAttestor implementation would at least get it merged.

@adityasaky @marcelamelara

Forrin avatar Jan 03 '24 04:01 Forrin

This has been superseded by https://github.com/in-toto/go-witness/pull/149 .

marcelamelara avatar May 22 '24 22:05 marcelamelara