Support release attestations #15
Description
example DSSE payload:
eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJ1cmkiOiJwa2c6Z2l0aHViL3BocC9waWVAMS4zLjAiLCJkaWdlc3QiOnsic2hhMSI6IjdlYmMxMTZhNThkOTllOGNiMGEyNGRhODQxYzdjYWEyYjdkMWUwOWYifX0seyJuYW1lIjoicGllLnBoYXIiLCJkaWdlc3QiOnsic2hhMjU2IjoiMGVhYWVkNWQ0OTUzNGQ1ZWI1M2NhZTYzNzg0MzAzNWVkM2UwYjk5NTdlYmFkODUyMWYxMzcxN2IwNjQ4MGJmYyJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2luLXRvdG8uaW8vYXR0ZXN0YXRpb24vcmVsZWFzZS92MC4xIiwicHJlZGljYXRlIjp7ImRhdGFiYXNlSWQiOiIyNjUzNzM0MTkiLCJvd25lcklkIjoiMjUxNTgiLCJwYWNrYWdlSWQiOiI3NjUwNDk2ODciLCJwdXJsIjoicGtnOmdpdGh1Yi9waHAvcGllQDEuMy4wIiwicmVsZWFzZUlkIjoiNzY1MDQ5Njg3IiwicmVwb3NpdG9yeSI6InBocC9waWUiLCJyZXBvc2l0b3J5SWQiOiI3NjUwNDk2ODciLCJ0YWciOiIxLjMuMCJ9fQ==
decodes to
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"uri": "pkg:github/php/pie@1.3.0",
"digest": {
"sha1": "7ebc116a58d99e8cb0a24da841c7caa2b7d1e09f"
}
},
{
"name": "pie.phar",
"digest": {
"sha256": "0eaaed5d49534d5eb53cae637843035ed3e0b9957ebad8521f13717b06480bfc"
}
}
],
"predicateType": "https://in-toto.io/attestation/release/v0.1",
"predicate": {
"databaseId": "265373419",
"ownerId": "25158",
"packageId": "765049687",
"purl": "pkg:github/php/pie@1.3.0",
"releaseId": "765049687",
"repository": "php/pie",
"repositoryId": "765049687",
"tag": "1.3.0"
}
}Note the predicateType is different to a build provenance attestation (example:
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"name": "pie.phar",
"digest": {
"sha256": "0eaaed5d49534d5eb53cae637843035ed3e0b9957ebad8521f13717b06480bfc"
}
}
],
"predicateType": "https://slsa.dev/provenance/v1",
"predicate": {
"buildDefinition": {
"buildType": "https://actions.github.io/buildtypes/workflow/v1",
"externalParameters": {
"workflow": {
"ref": "refs/tags/1.3.0",
"repository": "https://github.com/php/pie",
"path": ".github/workflows/continuous-integration.yml"
}
},
"internalParameters": {
"github": {
"event_name": "push",
"repository_id": "765049687",
"repository_owner_id": "25158",
"runner_environment": "github-hosted"
}
},
"resolvedDependencies": [
{
"uri": "git+https://github.com/php/pie@refs/tags/1.3.0",
"digest": {
"gitCommit": "3a2824243fce9051fb6b99430f7e14053e827495"
}
}
]
},
"runDetails": {
"builder": {
"id": "https://github.com/php/pie/.github/workflows/build-phar.yml@refs/tags/1.3.0"
},
"metadata": {
"invocationId": "https://github.com/php/pie/actions/runs/19697569681/attempts/1"
}
}
}
}Note, that as of #14 the \ThePhpFoundation\Attestation\Verification\VerifyAttestationWithOpenSsl::downloadAttestations method is currently hard-coded to filter to ?predicate_type=provenance (ref API docs: https://docs.github.com/en/rest/users/attestations?apiVersion=2022-11-28#list-attestations)