diff --git a/content/en/about/bundle.md b/content/en/about/bundle.md new file mode 100644 index 00000000..2b2b4153 --- /dev/null +++ b/content/en/about/bundle.md @@ -0,0 +1,313 @@ +# Sigstore Bundle + +October 31, 2024 + +Version 0.3.2 + +This document describes the data structure for storing Sigstore signatures generated by tooling +working in the context of the Sigstore Public Instance. It includes `json` examples of +serialized bundles of the current bundle format version. It may exclude descriptions of parameters +that continue to exist for compatibility reasons or for private use cases. For a full description of +the format, the formal schema and information about language library support see +[sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs). + +## Bundle + +A Sigstore bundle is everything required to verify a signature on an artifact. This +is satisfied by the **Verification Material** and signature **Content**. + +### Verification Material + +This is key material used to verify signatures along with supporting metadata like transparency log entries and timestamps. When using short lived Fulcio certificates where verification may occur after the certificate has expired, bundles must include at least one transparency log's signed entry timestamp or an [RFC3161](https://www.ietf.org/rfc/rfc3161.txt) timestamp to provide proof that signing occured during the ceritificates validity window. + +#### Key Material + +##### X.509 certificate + +A single X.509 leaf certificate conveying the signing key and containing [extensions](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md) +for identities consumed at verification time. This is the recommended `"verificationMaterial"` type +for use with the public Sigstore infrastructure. + +```json +"verificationMaterial": { + "certificate": { + "rawBytes": "" + } +} +``` + +##### Public Key Identifier + +A hint to identify an out of band delivered key to verify a signature. Like traditional PKI key distribution +the format of the hint must be agreed upon out of band by the signer and the verifiers. The key itself is not embedded in the Sigstore bundle. + +```json +"verificationMaterial": { + "publicKeyIdentifier": { + "hint": "" + } +} +``` + +#### Transparency Log Entries + +One or more transparency logs entries to provide proof of inclusion in a public log and optionally a timestamp to +validate signing occurred during ceritificate validity. + +```json +"verificationMaterial": { + "tlogEntries": [ + { + "logIndex": "", + "logId": { + "keyId": "", + }, + "kindVersion": { + "kind": "(hashrekord | dsse)", + "version": "" + }, + "integratedTime": "", + "inclusionPromise": { + "signedEntryTimestamp": "" + }, + "inclusionProof": { + "logIndex": "", + "rootHash": "", + "treeSize": "", + "hashes": [ + "", + "", + "" + ], + "checkpoint": { + "envelope": "" + } + }, + "canonicalizedBody": "" + }, + ] +} +``` + +#### Timestamp + +Zero or more [RFC3161](https://www.ietf.org/rfc/rfc3161.txt) timestamps to validate signing occurred during ceritificate validity. + +```json +"verificationMaterial": { + "timestampVerificationData": { + "rfc3161Timestamps": [ + { + "signedTimestamp": "Base64(RFC3161 TIMESTAMP)" + }, + ] + } +} +``` + + +### Content + +This is the signature data for which the Verification Material is defined over. It must be one of +**Message Signature** over an artifact hash or a **DSSE** envelope for attestations. + +#### Message Signature + +This is a computed signature over a message (typically an arifact hash). It may contain a +`message_digest` for informational purposes, but it must be provided or computed from a provided +artifact at verification time. + +```json +"messageSignature": { + "messageDigest": { + "algorithm": "", + "digest": "" + }, + "signature": "" +} +``` + +#### DSSE + +A DSSE envelope can contain arbitrary payloads. Currently Sigstore clients only process the +payload type `"application/vnd.in-toto+json"`. Verifiers must verify that the payload type is a +supported and expected type. DSSE envelopes contained in a Sigstore Bundle must only contain a +single signature (the DSSE spec allows multiple). + +```json +"dsseEnvelope": { + { + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [{ + "keyid": "", + "sig": "" + }] + } +} +``` + +## Examples + +Here are some example bundles from the Sigstore public infrastructure. + +#### Message Signature Bundle + +Bundle with Message Signature over an artifact ([sigstore-java-1.0.0.jar](https://repo1.maven.org/maven2/dev/sigstore/sigstore-java/1.0.0/sigstore-java-1.0.0.jar.sigstore.json)). +This example includes a single transparency log entry with a signed entry timestamp for +signing time verification. + +```json +{ + "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", + "verificationMaterial": { + "tlogEntries": [{ + "logIndex": "125680200", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "hashedrekord", + "version": "0.0.1" + }, + "integratedTime": "1724870676", + "inclusionPromise": { + "signedEntryTimestamp": "MEYCIQCAKWrmj0LZ77rfiMXEat9gCCJxX4pgQfZqNc+tvF7gaAIhAJFtyypsWCbLDJ+NAMzPoY1AkQ1inhhQ3pZC5PaBCI8C" + }, + "inclusionProof": { + "logIndex": "3775938", + "rootHash": "nEpjeg/gaT1EOcKQAr3q/XGdnuKzLsf4UhgZrwtTU+8=", + "treeSize": "3775939", + "hashes": ["vNwG4wbIsTeCSn9JageqhtCb6VvgYEKSw3Xro8zMF3s=", "3Cue+tnRytahmzjIHIig4/fKMN9WAQmi/8g4Fdk6+8k=", "2EvX4swCFD/LILwJKa300/8gGp/NrdPRJmS5xD5vTKE=", "7hEYrEVIERVjsDqdu600HLZ8gNcv7a45T2PI6RSmuzQ=", "Uh7WsOJYvurV8PIbjfhlLyW+CP+/HENUKB4tooMfNZo=", "Qs+LtoqLx2sFhSJUuUlbJs13xTJzH7lVPpEKpXBZyvI=", "kM4w7ZLh5iktz4xR9ECXn9elEJIaqockScafEFL7ieY=", "LomN2mlfw+qbbFGvCNfr3vCBrZ4EU/lqnL4TO0yc9Zw=", "22569ZiSqZcajfTf9Ct4LFEWDtLlHeaTpoPCFqeZtWQ=", "QxmVWsbTp4cClxuAkuT51UH2EY7peHMVGKq7+b+cGwQ=", "Q2LAtNzOUh+3PfwfMyNxYb06fTQmF3VeTT6Fr6Upvfc=", "ftwAu6v62WFDoDmcZ1JKfrRPrvuiIw5v3BvRsgQj7N8="], + "checkpoint": { + "envelope": "rekor.sigstore.dev - 1193050959916656506\n3775939\nnEpjeg/gaT1EOcKQAr3q/XGdnuKzLsf4UhgZrwtTU+8\u003d\n\n— rekor.sigstore.dev wNI9ajBEAiA/TrOctVDd1vjn/IrzCU8Fm7mhUlJ2FN739iGpqMomHgIgRwwqXaijp0RRTgyRxYUsCZ6LFvewTTEyaPmO4vHKqgk\u003d\n" + } + }, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1YmUyNmYxNzc3YTM1MWEyZjc3MGU5MWRiY2VhZTBhYWEzZjZlMjZlOGFkMjE4YzZhYzE2Y2FhNzgzYTVhYTBkIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQWxWTTlHR0VGV2dXYjJzdCtHRVlVVUphTXhGZXYxYlc2TVRzV2RnYks1YkFpRUFvWFhKTlFBQ1JGNG82OEx0V0dvVFdKZWVzekRrRXZlUWthOFQ2KzhYeTRBPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVaGFSRU5EUW5WeFowRjNTVUpCWjBsVlFVOTVWMWswTUdOdVJXbHNWMnhPYm1GVlJtaEdZMmR0YURoemQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDlFU1RSTlZHY3dUa1JOTUZkb1kwNU5hbEYzVDBSSk5FMVVaekZPUkUwd1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZRYkdwbFpuWmpibXd4YVhaQmF6RlJRalZFZG5Nd1VYVm1iRWRxUmxObFYxUlFMMDhLZEcxaE4yNXlRMVJZUjFGMFVXZEVTVzVLVTFKeFRWTTNWRE4yWjJ0MlpYTXlVMUUyWkVGR2JXeDBURWxYWjBsS2R6WlBRMEpuYTNkbloxbEdUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZRZDNGa0NtTlhaMjlHYjJadWJsTmtWekJ3U0hkclJtaHZhMUJOZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJabldVUldVakJTUVZGSUwwSklVWGRqYjFwM1lVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROT2NGb3pUakJpTTBwc1RETk9jQXBhTTA0d1lqTktiRXhYY0doa2JVVjJURzFrY0dSSGFERlphVGt6WWpOS2NscHRlSFprTTAxMlkyMVdjMXBYUm5wYVV6RjZZVmRrZW1SSE9YbGFVekZ4Q2xsWVdtaE1WMXA1WWpJd2RHUkhSbTVNYm14b1lsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYaE1ha0YxVFVSQk5VSm5iM0pDWjBWRlFWbFBMMDFCUlVJS1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG14amJVNTJZbTVTYkdKdVVYVlpNamwwVFVJNFJ3cERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkbU50ZEcxaVJ6a3pXREpTY0dNelFtaGtSMDV2VFVSWlIwTnBjMGRCVVZGQ1p6YzRkMEZSVFVWTFIxRjVDazVxUVhwTmVsRXdXVlJyZWs1VVpHcFphbU42VFZSUmVWa3lTVEpPVjA1b1dtcFdiVTE2Ykd0YVIwa3dUV3BuZWs5VVZYZFVaMWxMUzNkWlFrSkJSMFFLZG5wQlFrSkJVa0ZWYlZaeldsZEdlbHBUUW5waFYyUjZaRWM1ZVZwVE1YRlpXRnBvU1VkR2RWcERRbnBoVjJSNlpFYzVlVnBUTVhSWldGcHNZbWt4ZHdwaVNGWnVZVmMwWjJSSE9HZFVWMFl5V2xjMFoxRXlWblZrU0Vwb1lrUkJhMEpuYjNKQ1owVkZRVmxQTDAxQlJVWkNRbHA2WVZka2VtUkhPWGxhVXpsNkNtRlhaSHBrUnpsNVdsTXhjVmxZV21oTlFqUkhRMmx6UjBGUlVVSm5OemgzUVZGWlJVVklTbXhhYmsxMlpFZEdibU41T1RKTlV6UjNUR3BCZDA5M1dVc0tTM2RaUWtKQlIwUjJla0ZDUTBGUmRFUkRkRzlrU0ZKM1kzcHZka3d6VW5aaE1sWjFURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kZ3BpYmxKc1ltNVJkVmt5T1hSTlNVZEJRbWR2Y2tKblJVVkJXVTh2VFVGRlNrSklTVTFqUjJnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw2Q21GWFpIcGtSemw1V2xNNWVtRlhaSHBrUnpsNVdsTXhjVmxZV21oTWVUVnVZVmhTYjJSWFNYWmtNamw1WVRKYWMySXpaSHBNTTBwc1lrZFdhR015VlhRS1l6SnNibU16VW5aamJWVjBZVzFHTWxsVE1XMWpiVGwwVEZoU2FGcDVOVFZaVnpGelVVaEtiRnB1VFhaa1IwWnVZM2s1TWsxVE5IZE1ha0YzVDBGWlN3cExkMWxDUWtGSFJIWjZRVUpEWjFGeFJFTm9hMDFxV1hkTmVrMHdUa2RGTlUxNlZUTlpNa2t6VFhwRk1FMXRUbWxPYWxacVdWZFpNVnBxVFRWYVIxSnBDazVFU1RSTmVtc3hUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJjMFZFZDNkT1dqSnNNR0ZJVm1sTVYyaDJZek5TYkZwRVFUVkNaMjl5UW1kRlJVRlpUeThLVFVGRlRVSkRjMDFMVjJnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw2WVZka2VtUkhPWGxhVXpsNllWZGtlbVJIT1hsYVV6RnhXVmhhYUFwTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZFd1JVdG5kMjlhUkVreVRVUk5lazVFVW1oUFZFMHhUakpPYVU1NlRYaE9SRXBxV1dwWk1Wa3lSbTFPVjFsNkNrOVhVbXRaYWxGNVQwUk5OVTVVUVdkQ1oyOXlRbWRGUlVGWlR5OU5RVVZQUWtKSlRVVklTbXhhYmsxMlpFZEdibU41T1RKTlV6UjNUR3BCZDBkUldVc0tTM2RaUWtKQlIwUjJla0ZDUkhkUlRFUkJhekJPYWtGNFQwUlJNMDFFWjNkTGQxbExTM2RaUWtKQlIwUjJla0ZDUlVGUlpFUkNkRzlrU0ZKM1kzcHZkZ3BNTW1Sd1pFZG9NVmxwTldwaU1qQjJZekpzYm1NelVuWmpiVlYzUjBGWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVV0RVFXY3pUVlJCTlU1cVRURk5la05DQ21kQldVdExkMWxDUWtGSFJIWjZRVUpGWjFKNVJFaENiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkbU15Ykc0S1l6TlNkbU50VlhSaGJVWXlXVk00ZFZveWJEQmhTRlpwVEROa2RtTnRkRzFpUnprelkzazVlVnBYZUd4WldFNXNURmhPY0ZvelRqQmlNMHBzVEZkd2FBcGtiVVYwV201S2RtSlRNVEJaVjJOMVpWZEdkR0pGUW5sYVYxcDZURE5TYUZvelRYWmtha1YxVFVNMGQwMUVaMGREYVhOSFFWRlJRbWMzT0hkQlVrMUZDa3RuZDI5YVJFa3lUVVJOZWs1RVVtaFBWRTB4VGpKT2FVNTZUWGhPUkVwcVdXcFpNVmt5Um0xT1YxbDZUMWRTYTFscVVYbFBSRTAxVGxSQmFFSm5iM0lLUW1kRlJVRlpUeTlOUVVWVlFrSk5UVVZZWkhaamJYUnRZa2M1TTFneVVuQmpNMEpvWkVkT2IwMUdNRWREYVhOSFFWRlJRbWMzT0hkQlVsVkZWSGQ0VGdwaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WM0JvWkcxRmRsbFhUakJoVnpsMUNtTjVPWGxrVnpWNlRIcEZkMDVxUVhsT1JGRXlUMVJGTUV3eVJqQmtSMVowWTBoU2VreDZSWGRHWjFsTFMzZFpRa0pCUjBSMmVrRkNSbWRSU1VSQlduY0taRmRLYzJGWFRYZG5XVzlIUTJselIwRlJVVUl4Ym10RFFrRkpSV1pCVWpaQlNHZEJaR2RFWkZCVVFuRjRjMk5TVFcxTldraG9lVnBhZW1ORGIydHdaUXAxVGpRNGNtWXJTR2x1UzBGTWVXNTFhbWRCUVVGYVIyRlVZMjA0UVVGQlJVRjNRa2hOUlZWRFNVaFhiVkpGYVhZNVRrbHlUbnBDTkhoMFVVSkRaa1pUQ25waVNUY3paREV4VlVvMVVUQnRORlJHVlZvMFFXbEZRVGMwTW1WQ2RsaG1hVXhrVFN0dksyOUlZbVJ6UjJsTEwzcHBjMXAyZUV4c2IzQmhTRXQ1U0NzS1ZrRlpkME5uV1VsTGIxcEplbW93UlVGM1RVUmhRVUYzV2xGSmVFRkxjRzVXYUc5dFluUmlSV1YyVFVsU1MyVmlXWEphVm1NMFlsUmlZVmxyYUVOMVNBcDVMMmRVWW00cmFXeHVSWEphY1hsNlVGQkNkWEYzZEc1c1NHZDBiMUZKZDBVMmJGTnBSbE52VmtsblIwNWpXVVIxUWxWRmNIbFZhR2xGV0VodE5UVkhDbEp2YnpneVRYSmpNMlIzV0dkR1FqRk1LM1l2Y1ZwSFpFOWtVazFtY2k5aENpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19" + }], + "certificate": { + "rawBytes": "MIIHZDCCBuqgAwIBAgIUAOyWY40cnEilWlNnaUFhFcgmh8swCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwODI4MTg0NDM0WhcNMjQwODI4MTg1NDM0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPljefvcnl1ivAk1QB5Dvs0QuflGjFSeWTP/Otma7nrCTXGQtQgDInJSRqMS7T3vgkves2SQ6dAFmltLIWgIJw6OCBgkwggYFMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUPwqdcWgoFofnnSdW0pHwkFhokPMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wfgYDVR0RAQH/BHQwcoZwaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWphdmEvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS1zaWdzdG9yZS1qYXZhLWZyb20tdGFnLnlhbWxAcmVmcy90YWdzL3YxLjAuMDA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKGQyNjAzMzQ0YTkzNTdjYjczMTQyY2I2NWNhZjVmMzlkZGI0MjgzOTUwTgYKKwYBBAGDvzABBARAUmVsZWFzZSBzaWdzdG9yZS1qYXZhIGFuZCBzaWdzdG9yZS1tYXZlbi1wbHVnaW4gdG8gTWF2ZW4gQ2VudHJhbDAkBgorBgEEAYO/MAEFBBZzaWdzdG9yZS9zaWdzdG9yZS1qYXZhMB4GCisGAQQBg78wAQYEEHJlZnMvdGFncy92MS4wLjAwOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIGABgorBgEEAYO/MAEJBHIMcGh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qYXZhLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2Utc2lnc3RvcmUtamF2YS1mcm9tLXRhZy55YW1sQHJlZnMvdGFncy92MS4wLjAwOAYKKwYBBAGDvzABCgQqDChkMjYwMzM0NGE5MzU3Y2I3MzE0MmNiNjVjYWY1ZjM5ZGRiNDI4Mzk1MB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDA5BgorBgEEAYO/MAEMBCsMKWh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qYXZhMDgGCisGAQQBg78wAQ0EKgwoZDI2MDMzNDRhOTM1N2NiNzMxNDJjYjY1Y2FmNWYzOWRkYjQyODM5NTAgBgorBgEEAYO/MAEOBBIMEHJlZnMvdGFncy92MS4wLjAwGQYKKwYBBAGDvzABDwQLDAk0NjAxODQ3MDgwKwYKKwYBBAGDvzABEAQdDBtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUwGAYKKwYBBAGDvzABEQQKDAg3MTA5NjM1MzCBgAYKKwYBBAGDvzABEgRyDHBodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtamF2YS8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLXNpZ3N0b3JlLWphdmEtZnJvbS10YWcueWFtbEByZWZzL3RhZ3MvdjEuMC4wMDgGCisGAQQBg78wARMEKgwoZDI2MDMzNDRhOTM1N2NiNzMxNDJjYjY1Y2FmNWYzOWRkYjQyODM5NTAhBgorBgEEAYO/MAEUBBMMEXdvcmtmbG93X2Rpc3BhdGNoMF0GCisGAQQBg78wARUETwxNaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWphdmEvYWN0aW9ucy9ydW5zLzEwNjAyNDQ2OTE0L2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAZGaTcm8AAAEAwBHMEUCIHWmREiv9NIrNzB4xtQBCfFSzbI73d11UJ5Q0m4TFUZ4AiEA742eBvXfiLdM+o+oHbdsGiK/zisZvxLlopaHKyH+VAYwCgYIKoZIzj0EAwMDaAAwZQIxAKpnVhombtbEevMIRKebYrZVc4bTbaYkhCuHy/gTbn+ilnErZqyzPPBuqwtnlHgtoQIwE6lSiFSoVIgGNcYDuBUEpyUhiEXHm55GRoo82Mrc3dwXgFB1L+v/qZGdOdRMfr/a" + } + }, + "messageSignature": { + "messageDigest": { + "algorithm": "SHA2_256", + "digest": "W+JvF3ejUaL3cOkdvOrgqqP24m6K0hjGrBbKp4Olqg0=" + }, + "signature": "MEUCIAlVM9GGEFWgWb2st+GEYUUJaMxFev1bW6MTsWdgbK5bAiEAoXXJNQACRF4o68LtWGoTWJeeszDkEveQka8T6+8Xy4A=" + } +} +``` + + +#### DSSE Bundle +Bundle with DSSE Envelope over a provenance attestation. This example includes a transparency log entry and an rfc3161 timestamp. + +```json +{ + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.2", + "verificationMaterial": { + "x509CertificateChain": { + "certificates": [ + { + "rawBytes": "MIIDNDCCAtqgAwIBAgIEERggBDAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0yMzAyMDEwMDAwMDBaFw0yMzAyMDEwMDEwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3rsXlKKGObv+Z08sAjs0tyxlzSTKkaFRiy7vjZaFMRQOZ76QKwGFefLkeGwuafSKyLbzhjIghOrUzjS+WFAMHo4ICFTCCAhEwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIGlBgNVHREBAf8EgZowgZeGgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMB0GA1UdDgQWBBTnwHeBmPc9IrZmBemOaHy4lwv7KDAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTCBiQYKKwYBBAHWeQIEAgR7BHkAdwB1APcmyqNBF7qRZUSvNzTpIM1MSS73XOYij9wE7v8vPyfdAAABhgpF7AAAAAQDAEYwRAIgORF50hYRIFl2Hgc0vOJfpMjU8gY7BtGfz0oZePlxG4gCIDl6SXQe1+96ENWqM6+5wxbIUgHL8T3+no43cyuEAe+NMAoGCCqGSM49BAMDA0gAMEUCICqL+qLpRbTPXn6Ri/VId0ejKBNE/B1pm91uOye/COmVAiEAnkRk1n/fPy8cGs6+i+q7bMMl+X2Cm51odIrMI9PbjMw=" + } + ] + }, + "tlogEntries": [ + { + "logIndex": "4288993", + "logId": { + "keyId": "9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1675209600", + "inclusionPromise": { + "signedEntryTimestamp": "MEQCIGkdiEwwfehfHGLM0qerjqUifnolYl8guuPHdBGUl2kSAiBeo/KfkIKVsCXAbn9hnsUhXSewAsAzfDGdIHsuloSpLw==" + }, + "inclusionProof": { + "logIndex": "0", + "rootHash": "pc42iecujVMfPva3JcoWyQU9W6llYb+A2LsgE2O5pg0=", + "treeSize": "1", + "hashes": [], + "checkpoint": { + "envelope": "localhost:8000 - 124190645164477\n1\npc42iecujVMfPva3JcoWyQU9W6llYb+A2LsgE2O5pg0=\nTimestamp: 1675209600000000000\n\n— localhost:8000 9ybKozBGAiEAkhPYcKegqWJbVTaEYJHp0rpn3CZjmyqD2unDIfg5tEQCIQC5VNMY5qTG83VuWL2eEbEWhFF3WNWDuaM3PqbvtUXR4w==\n" + } + }, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWQiOiJaWGR2WjBsRFNtWmtTR3gzV2xOSk5rbERTbTlrU0ZKM1kzcHZka3d5YkhWTVdGSjJaRWM0ZFdGWE9IWlZNMUpvWkVkV2RGcFhOVEJNTTFsNFNXbDNTMGxEUVdsak0xWnBZVzFXYW1SRFNUWkpSbk5MU1VOQlowbEljMHRKUTBGblNVTkJaMGx0TldoaVYxVnBUMmxCYVZwRE5UQmxTRkZwVEVGdlowbERRV2RKUTBGcFdrZHNibHBZVGpCSmFtOW5aWGR2WjBsRFFXZEpRMEZuU1VOS2VtRkhSWGxPVkZscFQybEJhVTE2VFhkWlZFRXdUWHBKZVUxSFdtaE5WRTVzVFVSR2EwNXFhR2hPTWxKcFRYcHNhazlFYkd4TlZFcHBUVWROTUZsNlRtbE9iVVYzVFhwUk1scHRWVEpOYWxKcFRVUnJkMDB5V1hoTmVrRjZXV3BXYVUxcFNVdEpRMEZuU1VOQloyWlJiMmRKUTBGblpsRnZaMGxHTUhORGFVRm5TVzVDZVZwWFVuQlpNa1l3V2xaU05XTkhWV2xQYVVGcFlVaFNNR05JVFRaTWVUbDZZa2hPYUV4dFVteGthVGwzWTIwNU1scFhOV2hpYlU1c1RETlplRWxwZDB0SlEwRnBZMGhLYkZwSGJHcFpXRkpzU1dwdloyVjNiMmRKUTBGblNXMUtNV0ZYZUd0U1IxWnRZVmMxY0dSSGJIWmlhVWsyU1VoelMwbERRV2RKUTBGblNXMUtNV0ZYZUd0V1NHeDNXbE5KTmtsRFNtOWtTRkozWTNwdmRrd3pUbk5qTWtWMFdtNUthR0pYVmpOaU0wcHlURzFrY0dSSGFERlphVFZ3WW5rNWJtRllVbTlrVjBsMFdWZE9NR0ZYT1hWamVURnBaRmRzYzFwSVVqVmpSMVo2VEROa2RtTnRkRzFpUnprelRETlplRWxwZDB0SlEwRm5TVU5CWjBsdFZqUmtSMVo1WW0xR2MxVkhSbmxaVnpGc1pFZFdlV041U1RaSlNITkxTVU5CWjBsRFFXZEpRMEZwWkRJNWVXRXlXbk5pTTJOcFQybENOME5wUVdkSlEwRm5TVU5CWjBsRFFXbGpiVlp0U1dwdlowbHVTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbWxKYzBOcFFXZEpRMEZuU1VOQlowbERRV2xqYlZaM1lqTk9jR1JIT1hsbFUwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRGa3lPWFZhYlRsNVlsZEdkVmt5VldsTVFXOW5TVU5CWjBsRFFXZEpRMEZuU1c1Q2FHUkhaMmxQYVVGcFRHMWtjR1JIYURGWmFUa3pZak5LY2xwdGVIWmtNMDEyV1RJNWRWcHRPWGxpVjBaMVdUSlZkV1ZYTVhOSloyOW5TVU5CWjBsRFFXZEpTREJMU1VOQlowbERRV2RtVTNkTFNVTkJaMGxEUVdkSmJXeDFaRWRXZVdKdFJuTlZSMFo1V1ZjeGJHUkhWbmxqZVVrMlNVaHpTMGxEUVdkSlEwRm5TVU5CYVZveWJEQmhTRlpwU1dwdloyVjNiMmRKUTBGblNVTkJaMGxEUVdkSmJWWXlXbGMxTUZneU5XaGlWMVZwVDJsQmFXTklWbnBoUTBselEybEJaMGxEUVdkSlEwRm5TVU5CYVdOdFZuZGlNMDV3WkVjNWVXVldPWEJhUTBrMlNVTkpNVTVFUlRSUFZFMTRUMFJaYVV4QmIyZEpRMEZuU1VOQlowbERRV2RKYmtwc1kwYzVlbUZZVW5aamJteG1Zak5rZFZwWVNtWmhWMUZwVDJsQmFVNTZSWGRQVkZsNlRsUk5hVU5wUVdkSlEwRm5TVU5CWjJaUmIyZEpRMEZuU1VOQ09VeEJiMmRKUTBGblNVTkJhV050Vm5waU1uZ3lXbGRTUlZwWVFteGliVkpzWW0xT2NGcFlUV2xQYVVKaVEybEJaMGxEUVdkSlEwRm5aWGR2WjBsRFFXZEpRMEZuU1VOQlowbHVWbmxoVTBrMlNVTktibUZZVVhKaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WMDUyWW0xYWRtTnRNV2hpYlU1c1VVaEtiRnB1VFhaaFIxWm9Xa2hOZG1KWFJuQmlhVWx6UTJsQlowbERRV2RKUTBGblNVTkJhVnBIYkc1YVdFNHdTV3B2WjJWM2IyZEpRMEZuU1VOQlowbERRV2RKUTBGcFdqSnNNRkV5T1hSaVYyd3dTV3B2WjBsdFRURmFhbFp0V1dwSk1VNVVSVEpOTWxaclQwUldhMXBIU1hwTmJWRXhUa2RTYWxwSFVUTk5WRUpvV1hwT2JVMUVVVEpOUkUxcFEybEJaMGxEUVdkSlEwRm5TVU5DT1VOcFFXZEpRMEZuU1VOQloyWlJiMmRKUTBGblNVTkNaRU5wUVdkSlEwSTVURUZ2WjBsRFFXZEpia294WW10U2JHUkhSbkJpU0UxcFQybENOME5wUVdkSlEwRm5TVU5LYVdSWGJITmFSMVo1U1dwdloyVjNiMmRKUTBGblNVTkJaMGxEU25CYVEwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbGxYVGpCaFZ6bDFZM2s1ZVdSWE5YVmFXRWwyV2pKc01HRklWbWxNVjJoMll6TlNiRnBEU1V0SlEwRm5TVU5CWjJaVGQwdEpRMEZuU1VOQlowbHRNV3hrUjBacldWaFNhRWxxYjJkbGQyOW5TVU5CWjBsRFFXZEpRMHB3WW01YWRsa3lSakJoVnpsMVUxZFJhVTlwUVdsaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WMDUyWW0xYWRtTnRNV2hpYlU1c1RESkdhbVJIYkhaaWJrMTJZMjVXZFdONU9ETk5WR042VG1wSmQwOVVSWGRNTWtZd1pFZFdkR05JVW5wTWVrVnBRMmxCWjBsRFFXZEpTREJMU1VOQlowbElNRXRKUTBJNVEyNHdTdz09IiwicGF5bG9hZFR5cGUiOiJhcHBsaWNhdGlvbi92bmQuaW4tdG90bytqc29uIiwic2lnbmF0dXJlcyI6W3sicHVibGljS2V5IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUk9SRU5EUVhSeFowRjNTVUpCWjBsRlJWSm5aMEpFUVV0Q1oyZHhhR3RxVDFCUlVVUkJla0Z5VFZKRmQwUjNXVVJXVVZGRVJYZG9lbUZYWkhwa1J6bDVXbFJGVjAxQ1VVZEJNVlZGUTJoTlRtTXliRzVqTTFKMlkyMVZkV0pYT1dwaGVrRmxSbmN3ZVUxNlFYbE5SRVYzVFVSQmQwMUVRbUZHZHpCNVRYcEJlVTFFUlhkTlJFVjNUVVJDWVUxQlFYZFhWRUZVUW1kamNXaHJhazlRVVVsQ1FtZG5jV2hyYWs5UVVVMUNRbmRPUTBGQlVqTnljMWhzUzB0SFQySjJLMW93T0hOQmFuTXdkSGw0YkhwVFZFdHJZVVpTYVhrM2RtcGFZVVpOVWxGUFdqYzJVVXQzUjBabFpreHJaVWQzZFdGbVUwdDVUR0o2YUdwSloyaFBjbFY2YWxNclYwWkJUVWh2TkVsRFJsUkRRMEZvUlhkRVoxbEVWbEl3VUVGUlNDOUNRVkZFUVdkbFFVMUNUVWRCTVZWa1NsRlJUVTFCYjBkRFEzTkhRVkZWUmtKM1RVUk5TVWRzUW1kT1ZraFNSVUpCWmpoRloxcHZkMmRhWlVkbldsSnZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMll6SnNibU16VW5aamJWVjBXVEk1ZFZwdE9YbGlWMFoxV1RKVmRscFlhREJqYlZaMFdsZDROVXhYVW1oaWJXUnNZMjA1TVdONU1YZGtWMHB6WVZkTmRHSXliR3RaZVRGcFdsZEdhbUl5TkhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFphV0dnd1kyMVdkRnBYZURWTVYxSm9ZbTFrYkdOdE9URmplVEYyWVZkU2FreFhTbXhaVjA1MlltazFOV0pYZUVGamJWWnRZM2s1YjFwWFJtdGplVGwwV1Zkc2RVMUNNRWRCTVZWa1JHZFJWMEpDVkc1M1NHVkNiVkJqT1VseVdtMUNaVzFQWVVoNU5HeDNkamRMUkVGbVFtZE9Wa2hUVFVWSFJFRlhaMEpSTDBaR2VHczNSbFY0ZEM5dlJUaHNSRnBGUmpCek4ydGhjM1ZFUVRkQ1oyOXlRbWRGUlVGWlR5OU5RVVZKUWtNd1RVc3lhREJrU0VKNlQyazRkbVJIT1hKYVZ6UjFXVmRPTUdGWE9YVmplVFZ1WVZoU2IyUlhTakZqTWxaNVdUSTVkV1JIVm5Wa1F6VnFZakl3ZDA5UldVdExkMWxDUWtGSFJIWjZRVUpCVVZGeVlVaFNNR05JVFRaTWVUa3dZakowYkdKcE5XaFpNMUp3WWpJMWVreHRaSEJrUjJneFdXNVdlbHBZU21waU1qVXdXbGMxTUV4dFRuWmlWRU5DYVZGWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpkQ1NHdEJaSGRDTVVGUVkyMTVjVTVDUmpkeFVscFZVM1pPZWxSd1NVMHhUVk5UTnpOWVQxbHBhamwzUlRkMk9IWlFlV1prUVVGQlFtaG5jRVkzUVVGQlFVRlJSRUZGV1hkU1FVbG5UMUpHTlRCb1dWSkpSbXd5U0dkak1IWlBTbVp3VFdwVk9HZFpOMEowUjJaNk1HOWFaVkJzZUVjMFowTkpSR3cyVTFoUlpURXJPVFpGVGxkeFRUWXJOWGQ0WWtsVlowaE1PRlF6SzI1dk5ETmplWFZGUVdVclRrMUJiMGREUTNGSFUwMDBPVUpCVFVSQk1HZEJUVVZWUTBsRGNVd3JjVXh3VW1KVVVGaHVObEpwTDFaSlpEQmxha3RDVGtVdlFqRndiVGt4ZFU5NVpTOURUMjFXUVdsRlFXNXJVbXN4Ymk5bVVIazRZMGR6Tml0cEszRTNZazFOYkN0WU1rTnROVEZ2WkVseVRVazVVR0pxVFhjOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlZRMGxGTVVaV2VUSjZOMHBwUkZSQmJFOURhbWRYYW5CNU1GQnpZeTg0ZDB0b1RIbFZXVVJWT0N0UWIzSk9RV2xGUVc5alVUUndjemhuUWtkRU5HUXhhWGgzTTB4R1ZqZ3phRmRPZFdKRVZYWlJkbHBDUmtsb1F6VXpjWGM5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImM4ZWY4N2EzZmI4MTFkYTQ1YTQxODg2NTU5NmFiOTE2MDMyNDU4Y2QxMzU5MmM3ZmYxYTUzZThmZDE1N2M1ODAifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIwZWJiZGJjMjFkMTgyMDA3Yjc4YjU3NzBkZWEyNDlmMTEwOTQ2YjdkZWQ4NTdhNGVjMDBjY2I2OTJjMWUyNWFmIn19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [ + { + "signedTimestamp": "MIICGzADAgEAMIICEgYJKoZIhvcNAQcCoIICAzCCAf8CAQMxDzANBglghkgBZQMEAgEFADB0BgsqhkiG9w0BCRABBKBlBGMwYQIBAQYJKwYBBAGDvzACMC8wCwYJYIZIAWUDBAIBBCCbcvRBlDfRbVwaBhmUQoOTcKS7XrFs5y6Tp/MDZ5tQNgIE3q2+7xgPMjAyMzAyMDEwMDAwMDBaMAMCAQECBEmWAtKgADGCAW8wggFrAgEBMCswJjEMMAoGA1UEAxMDdHNhMRYwFAYDVQQKEw1zaWdzdG9yZS5tb2NrAgECMA0GCWCGSAFlAwQCAQUAoIHVMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjMwMjAxMDAwMDAwWjAvBgkqhkiG9w0BCQQxIgQgVzciL1SNrNN9mJ6Z3G1t4A7IPAjoVkXeFa91xuqRsAkwaAYLKoZIhvcNAQkQAi8xWTBXMFUwUwQgAA4hfcjNjQJC6U7kl1KxL3VHVkxZbFxM+eqk9sPXbJAwLzAqpCgwJjEMMAoGA1UEAxMDdHNhMRYwFAYDVQQKEw1zaWdzdG9yZS5tb2NrAgECMAoGCCqGSM49BAMCBEYwRAIgAqzpGF8YZrdyBJOGy2S/9qi7buQD6o51TvOGMKxAiagCIB8rI1sL9fFiY4LON6efkTvVxaFfHO5dJ1jKH+wO4jg+" + } + ] + } + }, + "dsseEnvelope": { + "payload": "ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAiZC50eHQiLAogICAgICAiZGlnZXN0IjogewogICAgICAgICJzaGEyNTYiOiAiMzMwYTA0MzIyMGZhMTNlMDFkNjhhN2RiMzljODllMTJiMGM0YzNiNmEwMzQ2ZmU2MjRiMDkwM2YxMzAzYjViMiIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwKICAicHJlZGljYXRlIjogewogICAgImJ1aWxkRGVmaW5pdGlvbiI6IHsKICAgICAgImJ1aWxkVHlwZSI6ICJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwKICAgICAgImV4dGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAid29ya2Zsb3ciOiB7CiAgICAgICAgICAicmVmIjogInJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAicmVwb3NpdG9yeSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtY29uZm9ybWFuY2UiLAogICAgICAgICAgInBhdGgiOiAiLmdpdGh1Yi93b3JrZmxvd3MvY29uZm9ybWFuY2UueW1sIgogICAgICAgIH0KICAgICAgfSwKICAgICAgImludGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAiZ2l0aHViIjogewogICAgICAgICAgImV2ZW50X25hbWUiOiAicHVzaCIsCiAgICAgICAgICAicmVwb3NpdG9yeV9pZCI6ICI1NDE4OTMxODYiLAogICAgICAgICAgInJlcG9zaXRvcnlfb3duZXJfaWQiOiAiNzEwOTYzNTMiCiAgICAgICAgfQogICAgICB9LAogICAgICAicmVzb2x2ZWREZXBlbmRlbmNpZXMiOiBbCiAgICAgICAgewogICAgICAgICAgInVyaSI6ICJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWNvbmZvcm1hbmNlQHJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAiZGlnZXN0IjogewogICAgICAgICAgICAiZ2l0Q29tbWl0IjogImM1ZjVmYjI1NTE2M2VkODVkZGIzMmQ1NGRjZGQ3MTBhYzNmMDQ2MDMiCiAgICAgICAgICB9CiAgICAgICAgfQogICAgICBdCiAgICB9LAogICAgInJ1bkRldGFpbHMiOiB7CiAgICAgICJidWlsZGVyIjogewogICAgICAgICJpZCI6ICJodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9ydW5uZXIvZ2l0aHViLWhvc3RlZCIKICAgICAgfSwKICAgICAgIm1ldGFkYXRhIjogewogICAgICAgICJpbnZvY2F0aW9uSWQiOiAiaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWNvbmZvcm1hbmNlL2FjdGlvbnMvcnVucy83MTczNjIwOTEwL2F0dGVtcHRzLzEiCiAgICAgIH0KICAgIH0KICB9Cn0K", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEUCIE1FVy2z7JiDTAlOCjgWjpy0Psc/8wKhLyUYDU8+PorNAiEAocQ4ps8gBGD4d1ixw3LFV83hWNubDUvQvZBFIhC53qw=", + "keyid": "" + } + ] + } +} +``` + +where the embedded attestation in the dsse envelope is +```json +{ + "_type": "https://in-toto.io/Statement/v1", + "subject": [ + { + "name": "d.txt", + "digest": { + "sha256": "330a043220fa13e01d68a7db39c89e12b0c4c3b6a0346fe624b0903f1303b5b2" + } + } + ], + "predicateType": "https://slsa.dev/provenance/v1", + "predicate": { + "buildDefinition": { + "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1", + "externalParameters": { + "workflow": { + "ref": "refs/heads/main", + "repository": "https://github.com/sigstore/sigstore-conformance", + "path": ".github/workflows/conformance.yml" + } + }, + "internalParameters": { + "github": { + "event_name": "push", + "repository_id": "541893186", + "repository_owner_id": "71096353" + } + }, + "resolvedDependencies": [ + { + "uri": "git+https://github.com/sigstore/sigstore-conformance@refs/heads/main", + "digest": { + "gitCommit": "c5f5fb255163ed85ddb32d54dcdd710ac3f04603" + } + } + ] + }, + "runDetails": { + "builder": { + "id": "https://github.com/actions/runner/github-hosted" + }, + "metadata": { + "invocationId": "https://github.com/sigstore/sigstore-conformance/actions/runs/7173620910/attempts/1" + } + } + } +} +```