Support working with SLSA statements (without wrapping)

[fmoessbauer]

trafficstars

The SLSA attestation model [1] defines a "statement" as an in-toto attestation, e.g. as "https://in-toto.io/Statement/v1" [2]. This statement contains both the predicate (e.g. "provenance" / "cyclonedx") as well as the "subject", that defines for which files the predicate holds. It would be great, if the cosign tool could directly work with these json documents instead and just add the DSSEv1 envelope (+key handling, rekor uploading,...).

The current version of cosign only allows to work with raw predicates (--predicate), but these are wrapped into a https://cosign.sigstore.dev/attestation/v1. The output then contains the original predicate in Predicate.Data, which hides it from tooling that directly works on the predicates.

Another alternative would be to split the cosign workflow into the certificate fetching part and the upload to rekor part. Then, the creation of the DSSEv1 (which is rather trivial) could be done by other tooling.

• [1] https://slsa.dev/attestation-model
• [2] https://github.com/in-toto/attestation/blob/main/protos/in_toto_attestation/v1/statement.proto