attestation: migrate emitted in-toto statements to v1#6603
Open
crazy-max wants to merge 3 commits intomoby:masterfrom
Open
attestation: migrate emitted in-toto statements to v1#6603crazy-max wants to merge 3 commits intomoby:masterfrom
crazy-max wants to merge 3 commits intomoby:masterfrom
Conversation
github-actions
bot
added
area/dockerfile
area/testing
area/dependencies
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
follow-up:
Emit in-toto Statement v1 for attestations while keeping compatibility for decoding legacy v0.1 statements.
First adds a small local JSON compatibility wrapper around the in-toto v1 protobuf types and isolates
protojsonhandling at the attestation boundary. Then switches the exporter-side attestation paths to use that wrapper for statement creation, marshaling, and unbundling.Compatibility is preserved on the read path. The new wrapper still accepts legacy
https://in-toto.io/Statement/v0.1JSON so bundled attestations and older fixtures can still be decoded. The write path always normalizes emitted statements tohttps://in-toto.io/Statement/v1.It does not introduce a broader protobuf refactor across unrelated packages, and it doesn't add a new schema generation pipeline. The only new abstraction is the small attestation JSON wrapper that keeps the
protojsonrequirement contained.There are a few remaining
github.com/in-toto/in-toto-golangusages outside the new wrapper path that are only used for constants or in tests, and those could be looked at as follow-up. The bigger remaining dependency onin-toto-golangis the SLSA provenance predicate modeling in the solver path, and switching that togithub.com/in-toto/attestationwould be a meaningfully larger protobuf-backed refactor that is better handled on its own.Example: https://oci.dag.dev/?blob=crazymax/buildkit@sha256:7b1f485c470d4db8d7f244c369970b45a67f0ee92f52ac5f16fba09389649c11&mt=application%2Fvnd.in-toto%2Bjson&size=2249