cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

Why is an SBOM attestation predicate wrapped in CosignPredicate?

Open otms61 opened this issue 3 years ago • 0 comments

Question

When Cosign creates an SBOM attestation, the SBOM predicate is wrapped in CosignPredicate. (spdx, cyclonedx) Therefore, SBOM locates under predicate.Data.

The photo below is an example of spdx. sbom_attestation

This differs from the in-toto spdx specification. It defines that the SBOM is located under the predicate.

{
  // Standard attestation fields:
  "_type": "https://in-toto.io/Statement/v0.1",
  "subject": [{ ... }],

  // Predicate:
  "predicateType": "https://spdx.dev/Document",
  "predicate": {
    "SPDXID" : "SPDXRef-DOCUMENT",
    "spdxVersion" : "SPDX-2.2",
    ...
  }
}

This difference makes it difficult to tell whether the SBOM is in predicate or predicate.Data, when we get an SBOM attestation.

So, why is an SBOM attestation predicate wrapped in CosignPredicate?

otms61 avatar Aug 04 '22 00:08 otms61