Skip to content

CICD: Add SLSA build attestation to release workflow #3563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

CICD: Add SLSA build attestation to release workflow #3563

wants to merge 1 commit into from

Conversation

eliheady
Copy link
Contributor

@eliheady eliheady commented May 4, 2025
edited
Loading

This adds a new workflow job to the release drafter workflow that calls the generic SLSA builder in the SLSA Framework project.

The draft_release job is modified to include a new step to generate sha256 digests according to the expected input of the SLSA builder.

The release assets will include a new file called multiple.intoto.jsonl that can be used to verify the build artifacts against the recorded digests. This is what it will look like on the releases page:

Screenshot 2025-05-04 at 7 36 30 AM

This was tested in a private fork because I didn't want to introduce any confusion around DNSControl releases in the public Rekor logs. I will give read access to interested reviewers.

Example artifacts are attached. Manual verification steps:

checksums.txt
multiple.intoto.jsonl.txt

Note the attestation document has been renamed just for attaching to this issue, GitHub blocks jsonl (?)

slsa-verifier verify-artifact \
  --provenance-path multiple.intoto.jsonl.txt \
  --source-uri github.com/eliheady/nodnsctrlo \
  --source-tag v4.19.0-slsa checksums.txt
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.1.0" at commit 12d7c7f89c902899a290dd9c6bbe3d37cb78ba97
Verifying artifact checksums.txt: PASSED

PASSED: SLSA verification passed

Release changelog section

  • CICD: Add SLSA build attestation to release workflow

@eliheady eliheady marked this pull request as ready for review May 4, 2025 15:04
@eliheady
Copy link
Contributor Author

eliheady commented May 4, 2025

This resolves #3468

@tlimoncelli
Copy link
Contributor

I don't know much about SLSA but know that this kind of thing is important. Thanks for the PR!

I'd like advice on how to bring this into production.

@eliheady
Copy link
Contributor Author

eliheady commented May 5, 2025
edited
Loading

Full transparency, I'm not a GHA or SLSA expert. But there wasn't much to it. I merged something (nearly the same as) this PR into main to make the workflow changes take effect, then pushed a new tag which triggers the normal release flow. The attestation step runs after the build is finished and sha256 digests produced at the end of the draft_release job.

I don't think it is necessary to follow the way I did it -- it could be tested before including it in a real release. Since this is not a new workflow, I believe as long as the workflow changes are included in the tag that the release is built from you could experiment without an official release. For instance, I guess you could create a v0.0.0-test-slsa tag from this commit, which should trigger the release workflow because its tag pattern would match. The draft release that gets created should have the multiple.intoto.jsonl document attached once the slsa job runs.

I'll try out that test procedure to make sure I am not wasting your time :)

@eliheady eliheady force-pushed the elih-slsa-provenance branch from da12da1 to 06ecb5c Compare May 5, 2025 15:55
@eliheady
This adds SLSA build attestation to the DNSControl release workflow
643b8be 
* add SLSA generator call after release step

* add SLSA info and verification doc

* add SLSA badge to Readme

* Fix attestation doc filename, limit digest generation to files below dist/
@eliheady eliheady force-pushed the elih-slsa-provenance branch from 06ecb5c to 643b8be Compare May 5, 2025 17:20
@eliheady
Copy link
Contributor Author

eliheady commented May 5, 2025

I confirmed the test plan I loosely outlined does work to initiate the modified workflow. This could be used if you want to test the revised release steps and confirm the attestation document is produced as expected.

git tag v0.0.0-test-slsa 643b8be7dfa85ec984a521cc17f25da6c1dc0f13
git push --tags

643b8be is the rebased squashed commit I just pushed to this PR branch.

Then review GH Actions for new workflow stages:
Screenshot 2025-05-05 at 1 25 22 PM

Then you could cancel or let it finish and review the attestation document as desired. If you let it run, the SLSA builder in the called workflow will submit the attestation to the public Rekor log, so there will be a history and signed digests associated with the unpublished release. I don't think that should matter, I just wanted to point it out.

@eliheady
Copy link
Contributor Author

eliheady commented May 5, 2025

well, I apologize for the noise here. That test run in the private fork failed during the called SLSA workflow. I am investigating. I probably missed something when I was rebasing on the upstream main.

@eliheady
Copy link
Contributor Author

eliheady commented May 5, 2025

https://github.com/eliheady/nodnsctrlo/actions/runs/14842598300 is a successful test release of this PR (plus the required one-line change for running against a private repo). I am leaving that test fork private because I'm not comfortable producing builds and a public release alongside the official releases of the project.

As mentioned in 3468, this change doesn't produce SLSA attestation for the container images. I intend to make further changes to include that (if possible) in the same release workflow. If you'd prefer to wait to merge this until the docker images are also covered, it's fine with me to move this to draft status or sit on it. Also ok by me to have this merged when you are inclined to do so, with or without the container portion. I will work on it sometime this week either way.

I appreciate you taking the time to consider this Tom!

@tlimoncelli
Copy link
Contributor

I ran it as v0.0.0... and it created a separate release. Is that intended? I'd rather have it as part of the main release.

screencapture_2025-05-05_15 49 07

The json is:

{
  "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
  "verificationMaterial": {
    "certificate": {
      "rawBytes": "MIIHSzCCBtKgAwIBAgIUbzsIoXqjU1dNbF4wodHOAL0qUuYwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNTA1MTkyNzE1WhcNMjUwNTA1MTkzNzE1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc69rNe/nQVpSn++6QumSKn/D7zB+d0Ghl5tSPqypRWas9MRhZHyd2eCDNBKSxt8q+PWvBNf2Q99OB1iSz6oMwKOCBfEwggXtMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUJAehuvDJY9cwo383KYV+sxvc/nowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wgYQGA1UdEQEB/wR6MHiGdmh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvZ2VuZXJhdG9yX2dlbmVyaWNfc2xzYTMueW1sQHJlZnMvdGFncy92Mi4xLjAwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTASBgorBgEEAYO/MAECBARwdXNoMDYGCisGAQQBg78wAQMEKDY0M2I4YmU3ZGZhODVlYzk4NGE1MjFjYzE3ZjI1ZGE2YzFkYzBmMTMwLQYKKwYBBAGDvzABBAQfUkVMRUFTRTogTWFrZSByZWxlYXNlIGNhbmRpZGF0ZTAmBgorBgEEAYO/MAEFBBhTdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wwKAYKKwYBBAGDvzABBgQacmVmcy90YWdzL3YwLjAuMC10ZXN0LXNsc2EwOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIGGBgorBgEEAYO/MAEJBHgMdmh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvZ2VuZXJhdG9yX2dlbmVyaWNfc2xzYTMueW1sQHJlZnMvdGFncy92Mi4xLjAwOAYKKwYBBAGDvzABCgQqDChmN2RkOGM1NGMyMDY3YmFmYzEyY2E3YTU1NTk1ZDVlZTliNzUyMDRhMB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDA7BgorBgEEAYO/MAEMBC0MK2h0dHBzOi8vZ2l0aHViLmNvbS9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wwOAYKKwYBBAGDvzABDQQqDCg2NDNiOGJlN2RmYTg1ZWM5ODRhNTIxY2MxN2YyNWRhNmMxZGMwZjEzMCoGCisGAQQBg78wAQ4EHAwacmVmcy90YWdzL3YwLjAuMC10ZXN0LXNsc2EwGAYKKwYBBAGDvzABDwQKDAg2Njk2MzcxNjAwBgorBgEEAYO/MAEQBCIMIGh0dHBzOi8vZ2l0aHViLmNvbS9TdGFja0V4Y2hhbmdlMBcGCisGAQQBg78wAREECQwHMTM5MzE3MTB6BgorBgEEAYO/MAESBGwMamh0dHBzOi8vZ2l0aHViLmNvbS9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZV9kcmFmdC55bWxAcmVmcy90YWdzL3YwLjAuMC10ZXN0LXNsc2EwOAYKKwYBBAGDvzABEwQqDCg2NDNiOGJlN2RmYTg1ZWM5ODRhNTIxY2MxN2YyNWRhNmMxZGMwZjEzMBQGCisGAQQBg78wARQEBgwEcHVzaDBfBgorBgEEAYO/MAEVBFEMT2h0dHBzOi8vZ2l0aHViLmNvbS9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvYWN0aW9ucy9ydW5zLzE0ODQ0MzUxMzgxL2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAZah6rRWAAAEAwBHMEUCIQCsMW3Nhjihc954uxQ9rCzx+zV4b5vtEJBfonKwDVqh+wIgPT6/lmpTJYU6kj3clfwuiUDVQl7KvYRETkxC97ePclowCgYIKoZIzj0EAwMDZwAwZAIwCqYerCfR8QMwPpNoPKs2y3Iya9FWb8toiE3duO0GsBVBS9kc1/eVjtC2ie+Oa+FmAjAce8OoKd+t3ABiwNzM/dP2kyM07m4yiG6VX6rlfzLRG9TnknFVpfEmVIUWKwsjrYA="
    },
    "tlogEntries": [
      {
        "logIndex": "207027270",
        "logId": {
          "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
        },
        "kindVersion": {
          "kind": "dsse",
          "version": "0.0.1"
        },
        "integratedTime": "1746473235",
        "inclusionPromise": {
          "signedEntryTimestamp": "MEYCIQDIe++MahjKO5aZTvx3wtg7LdMxzac1Bwgml8PWHZvyzQIhAN1z57FBJfDaifWz5iXJE/n1i/GjaEW4LrC8wN53LZBl"
        },
        "inclusionProof": {
          "logIndex": "85123008",
          "rootHash": "yJ2yjwJzo2aDerhBkeLmT5oeooBnpVMw5HL6wz8FgeE=",
          "treeSize": "85123009",
          "hashes": [
            "Fe2f15hQTgm0oPP9VzuHPXUTXPOrQTnEldP9G+eRArQ=",
            "w+qAx2hgmVb+aS/X9uiw/ByYJKT2Pxw8RwSmbnYCgek=",
            "Pb/Z333s+bObMbyjoTXfyhD6YGMCC5ePtf4nI1qdC5Y=",
            "sveCbECGAMq/SuZET1Q7/ghrZZAPygh0HKn7wXcDnnw=",
            "vpGBUZyf35w04rMXD4KOPch1szLCF3hQ1ZjRHhML5qs=",
            "BBKiC8nvnANu3P/QSPB2vaa0EaPt5hbX1fqxYJs0fIw=",
            "STRiT5znScYqqjbHUoeSCDancp9yMA1GQyruLcyC0WU=",
            "F2Bk+eQOO/Lqk4MbWWqMLxaniv0cn5DVaH8uShdTvwU=",
            "TEPT8U+UTUa2fotX22CflObssrAOIfxDI3yfjgJhOxU=",
            "0nA3rRXKCPnwIXraGuhSLUXUoR3Z/pZWazoHDwFyFpQ=",
            "wPskhmu15ftxHjrzbc1mbR7g3XCKtM52kdXHazaWvH4=",
            "++1LMuz3tIdW1/pfEfhPfXC4ot1AwDAXDcPyfibzGyc=",
            "7v8qPHNDLerpduaMx06eb/MwgoQwczTn/cYGKX/9wZ4="
          ],
          "checkpoint": {
            "envelope": "rekor.sigstore.dev - 1193050959916656506\n85123009\nyJ2yjwJzo2aDerhBkeLmT5oeooBnpVMw5HL6wz8FgeE=\n\n— rekor.sigstore.dev wNI9ajBFAiBV3DRyH5wBEWCGIvGmB3BrOdEsqEc+iUM2GVVaetCvvwIhAOhHdOcEd2XNwE6xlcOU5X50xXlzfwsmCmhalHipr8qc\n"
          }
        },
        "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZW52ZWxvcGVIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiMWYxYzBiZTkzMDk1MDI0NzRmMmMzYTEwMGQzNDJmZjc2YTQ0YjU1MDM4NzQ0NWQxOTJmYzE0NDY4MmRhZTY4OCJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjBlMjMzNjIzZDFmNTcyZTU0YTc0NmQwNWYwNjNjZDJmODU2MmI4NmI2ZGM2MTQwMjkxZTA4YjUwM2I5ODliZDMifSwic2lnbmF0dXJlcyI6W3sic2lnbmF0dXJlIjoiTUVVQ0lRRFBJNHUvNFphWDFRckUwWFpJSEg1V0RrU1F2c3IxVlpPSGYxUUN6MjN2QlFJZ1M5elc1Tk1rY3RZNW16TW44UTQvUW02S3R4Y3NLMU5LR3FuZzBCMEhKNGc9IiwidmVyaWZpZXIiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VoVGVrTkRRblJMWjBGM1NVSkJaMGxWWW5welNXOVljV3BWTVdST1lrWTBkMjlrU0U5QlREQnhWWFZaZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwVmQwNVVRVEZOVkd0NVRucEZNVmRvWTA1TmFsVjNUbFJCTVUxVWEzcE9la1V4VjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVmpOamx5VG1VdmJsRldjRk51S3lzMlVYVnRVMHR1TDBRM2VrSXJaREJIYUd3MWRGTUtVSEY1Y0ZKWFlYTTVUVkpvV2toNVpESmxRMFJPUWt0VGVIUTRjU3RRVjNaQ1RtWXlVVGs1VDBJeGFWTjZObTlOZDB0UFEwSm1SWGRuWjFoMFRVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVktRV1ZvQ25WMlJFcFpPV04zYnpNNE0wdFpWaXR6ZUhaakwyNXZkMGgzV1VSV1VqQnFRa0puZDBadlFWVXpPVkJ3ZWpGWmEwVmFZalZ4VG1wd1MwWlhhWGhwTkZrS1drUTRkMmRaVVVkQk1WVmtSVkZGUWk5M1VqWk5TR2xIWkcxb01HUklRbnBQYVRoMldqSnNNR0ZJVm1sTWJVNTJZbE01ZW1KSVRtaE1WMXA1V1ZjeGJBcGtNamw1WVhrNWVtSklUbWhNVjJSd1pFZG9NVmxwTVc1YVZ6VnNZMjFHTUdJelNYWk1iV1J3WkVkb01WbHBPVE5pTTBweVdtMTRkbVF6VFhaYU1sWjFDbHBZU21oa1J6bDVXREprYkdKdFZubGhWMDVtWXpKNGVsbFVUWFZsVnpGelVVaEtiRnB1VFhaa1IwWnVZM2s1TWsxcE5IaE1ha0YzVDFGWlMwdDNXVUlLUWtGSFJIWjZRVUpCVVZGeVlVaFNNR05JVFRaTWVUa3dZakowYkdKcE5XaFpNMUp3WWpJMWVreHRaSEJrUjJneFdXNVdlbHBZU21waU1qVXdXbGMxTUFwTWJVNTJZbFJCVTBKbmIzSkNaMFZGUVZsUEwwMUJSVU5DUVZKM1pGaE9iMDFFV1VkRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBSWk1FMHlTVFJaYlZVekNscEhXbWhQUkZac1dYcHJORTVIUlRGTmFrWnFXWHBGTTFwcVNURmFSMFV5V1hwR2ExbDZRbTFOVkUxM1RGRlpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVXWUtWV3RXVFZKVlJsUlNWRzluVkZkR2NscFRRbmxhVjNoc1dWaE9iRWxIVG1oaWJWSndXa2RHTUZwVVFXMUNaMjl5UW1kRlJVRlpUeTlOUVVWR1FrSm9WQXBrUjBacVlUQldORmt5YUdoaWJXUnNUREpTZFdNeVRuWmlibEo1WWpKM2QwdEJXVXRMZDFsQ1FrRkhSSFo2UVVKQ1oxRmhZMjFXYldONU9UQlpWMlI2Q2t3eldYZE1ha0YxVFVNeE1GcFlUakJNV0U1ell6SkZkMDkzV1V0TGQxbENRa0ZIUkhaNlFVSkRRVkYwUkVOMGIyUklVbmRqZW05MlRETlNkbUV5Vm5VS1RHMUdhbVJIYkhaaWJrMTFXakpzTUdGSVZtbGtXRTVzWTIxT2RtSnVVbXhpYmxGMVdUSTVkRTFKUjBkQ1oyOXlRbWRGUlVGWlR5OU5RVVZLUWtoblRRcGtiV2d3WkVoQ2VrOXBPSFphTW13d1lVaFdhVXh0VG5aaVV6bDZZa2hPYUV4WFdubFpWekZzWkRJNWVXRjVPWHBpU0U1b1RGZGtjR1JIYURGWmFURnVDbHBYTld4amJVWXdZak5KZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbG95Vm5WYVdFcG9aRWM1ZVZneVpHeGliVlo1WVZkT1ptTXllSG9LV1ZSTmRXVlhNWE5SU0Vwc1dtNU5kbVJIUm01amVUa3lUV2swZUV4cVFYZFBRVmxMUzNkWlFrSkJSMFIyZWtGQ1EyZFJjVVJEYUcxT01sSnJUMGROTVFwT1IwMTVUVVJaTTFsdFJtMVpla1Y1V1RKRk0xbFVWVEZPVkdzeFdrUldiRnBVYkdsT2VsVjVUVVJTYUUxQ01FZERhWE5IUVZGUlFtYzNPSGRCVVhORkNrUjNkMDVhTW13d1lVaFdhVXhYYUhaak0xSnNXa1JCTjBKbmIzSkNaMFZGUVZsUEwwMUJSVTFDUXpCTlN6Sm9NR1JJUW5wUGFUaDJXakpzTUdGSVZta0tURzFPZG1KVE9WUmtSMFpxWVRCV05Ga3lhR2hpYldSc1RESlNkV015VG5aaWJsSjVZakozZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5NZ3BPUkU1cFQwZEtiRTR5VW0xWlZHY3hXbGROTlU5RVVtaE9WRWw0V1RKTmVFNHlXWGxPVjFKb1RtMU5lRnBIVFhkYWFrVjZUVU52UjBOcGMwZEJVVkZDQ21jM09IZEJVVFJGU0VGM1lXTnRWbTFqZVRrd1dWZGtla3d6V1hkTWFrRjFUVU14TUZwWVRqQk1XRTV6WXpKRmQwZEJXVXRMZDFsQ1FrRkhSSFo2UVVJS1JIZFJTMFJCWnpKT2Ftc3lUWHBqZUU1cVFYZENaMjl5UW1kRlJVRlpUeTlOUVVWUlFrTkpUVWxIYURCa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RncGlVemxVWkVkR2FtRXdWalJaTW1ob1ltMWtiRTFDWTBkRGFYTkhRVkZSUW1jM09IZEJVa1ZGUTFGM1NFMVVUVFZOZWtVelRWUkNOa0puYjNKQ1owVkZDa0ZaVHk5TlFVVlRRa2QzVFdGdGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1ZSa1IwWnFZVEJXTkZreWFHaGliV1JzVERKU2RXTXlUbllLWW01U2VXSXlkM1pNYldSd1pFZG9NVmxwT1ROaU0wcHlXbTE0ZG1RelRYWmpiVlp6V2xkR2VscFdPV3RqYlVadFpFTTFOV0pYZUVGamJWWnRZM2s1TUFwWlYyUjZURE5aZDB4cVFYVk5RekV3V2xoT01FeFlUbk5qTWtWM1QwRlpTMHQzV1VKQ1FVZEVkbnBCUWtWM1VYRkVRMmN5VGtST2FVOUhTbXhPTWxKdENsbFVaekZhVjAwMVQwUlNhRTVVU1hoWk1rMTRUakpaZVU1WFVtaE9iVTE0V2tkTmQxcHFSWHBOUWxGSFEybHpSMEZSVVVKbk56aDNRVkpSUlVKbmQwVUtZMGhXZW1GRVFtWkNaMjl5UW1kRlJVRlpUeTlOUVVWV1FrWkZUVlF5YURCa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPVlJrUjBacVlUQldOQXBaTW1ob1ltMWtiRXd5VW5Wak1rNTJZbTVTZVdJeWQzWlpWMDR3WVZjNWRXTjVPWGxrVnpWNlRIcEZNRTlFVVRCTmVsVjRUWHBuZUV3eVJqQmtSMVowQ21OSVVucE1la1YzUm1kWlMwdDNXVUpDUVVkRWRucEJRa1puVVVsRVFWcDNaRmRLYzJGWFRYZG5XVzlIUTJselIwRlJVVUl4Ym10RFFrRkpSV1pCVWpZS1FVaG5RV1JuUkdSUVZFSnhlSE5qVWsxdFRWcElhSGxhV25walEyOXJjR1YxVGpRNGNtWXJTR2x1UzBGTWVXNTFhbWRCUVVGYVlXZzJjbEpYUVVGQlJRcEJkMEpJVFVWVlEwbFJRM05OVnpOT2FHcHBhR001TlRSMWVGRTVja042ZUN0NlZqUmlOWFowUlVwQ1ptOXVTM2RFVm5Gb0szZEpaMUJVTmk5c2JYQlVDa3BaVlRacmFqTmpiR1ozZFdsVlJGWlJiRGRMZGxsU1JWUnJlRU01TjJWUVkyeHZkME5uV1VsTGIxcEplbW93UlVGM1RVUmFkMEYzV2tGSmQwTnhXV1VLY2tObVVqaFJUWGRRY0U1dlVFdHpNbmt6U1hsaE9VWlhZamgwYjJsRk0yUjFUekJIYzBKV1FsTTVhMk14TDJWV2FuUkRNbWxsSzA5aEswWnRRV3BCWXdwbE9FOXZTMlFyZEROQlFtbDNUbnBOTDJSUU1tdDVUVEEzYlRSNWFVYzJWbGcyY214bWVreFNSemxVYm10dVJsWndaa1Z0VmtsVlYwdDNjMnB5V1VFOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9XX19"
      }
    ]
  },
  "dsseEnvelope": {
    "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJkaXN0L2J1aWxkX2Rhcndpbl9hbWQ2NF92MS9kbnNjb250cm9sIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjhhNzE1YmU5NTExNWFiODYwYzcwZmY4YmVhOTI0MzNmNjg4NTAwYTM1MDFiNjA2NTk0ZTUyNzVlYjQ4M2RiNmIifX0seyJuYW1lIjoiZGlzdC9kbnNjb250cm9sXzAuMC4wLXRlc3Qtc2xzYV93aW5kb3dzX2FtZDY0LnppcCIsImRpZ2VzdCI6eyJzaGEyNTYiOiJmZDI4MDNjZmIxMmI1MjIxY2QwNjRhZGIwNmM1ZDE5OTZhNDViZmFhOWNiNjhlYmE0YWZlZjE3YTJhMTZhMjJjIn19LHsibmFtZSI6ImRpc3QvZG5zY29udHJvbC0wLjAuMC10ZXN0LXNsc2EuYXJtNjQucnBtIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjFhOTU3ZTQ5YTIwZGQ4OTUxNWFhZDc1ZDQyM2UwYzY5Njg3NjZiMTgxNTY3NTdkYTczYTI3NzE4N2FiY2NiOTIifX0seyJuYW1lIjoiZGlzdC9jaGVja3N1bXMudHh0IiwiZGlnZXN0Ijp7InNoYTI1NiI6IjkyYzY1OGRlMzkwOGQ1ZmQyZTE5ZjVhY2UxNTJjYjg2NzYwNDg2NGVjMzk0YjU3M2Y5ZDU4OTI5MTE3NWVkNjEifX0seyJuYW1lIjoiZGlzdC9idWlsZF93aW5kb3dzX2FybTY0X3Y4LjAvZG5zY29udHJvbC5leGUiLCJkaWdlc3QiOnsic2hhMjU2IjoiOThmMWQ2NTg5ZGMyOTc0YzE3YjE2N2E1ODdjMGI4YTgzN2UxM2M5YzQ3NTY0ZjNmN2MyZmQwYmI1YzVlYzFjYSJ9fSx7Im5hbWUiOiJkaXN0L2J1aWxkX2ZyZWVic2RfYW1kNjRfdjEvZG5zY29udHJvbCIsImRpZ2VzdCI6eyJzaGEyNTYiOiI2NGQ3ZGIyNmVkZGYyMzQ1OTdkNGY2NTU1OGUxNjVkNjE5M2I0YmIxN2IwMzk1YmQzYjNhMWI5MjQ5YTUzZTM2In19LHsibmFtZSI6ImRpc3QvZG5zY29udHJvbF8wLjAuMC10ZXN0LXNsc2Ffd2luZG93c19hcm02NC56aXAiLCJkaWdlc3QiOnsic2hhMjU2IjoiNGU3NzUxZWNjM2Y1MWUzYmFhOTE0NDZmMzc1NGYwMmNhODNlOWJmOWM1ZDc3NzM1NTc3MzhlZmJiZWMwMGM4ZSJ9fSx7Im5hbWUiOiJkaXN0L2Ruc2NvbnRyb2wtMC4wLjAtdGVzdC1zbHNhLng4Nl82NC5ycG0iLCJkaWdlc3QiOnsic2hhMjU2IjoiZjYzMGQ0YTg4MGIyNzc3YzYwMTc2MTJlNzI1OWRmYmY0MmRjNDZhNzdkMGQxZTczNzI3ZTY3NWRlZjE3NmUyNyJ9fSx7Im5hbWUiOiJkaXN0L2J1aWxkX3dpbmRvd3NfYW1kNjRfdjEvZG5zY29udHJvbC5leGUiLCJkaWdlc3QiOnsic2hhMjU2IjoiYjdjOWEyNjNhZmFhNGZhNDQyZDczMmY5YjI2MTFlYTQzMjc0OWE5MzRlYzYzYmJhMzNkMWFkNjJiMzE4ZjkxNyJ9fSx7Im5hbWUiOiJkaXN0L2J1aWxkX2ZyZWVic2RfYXJtNjRfdjguMC9kbnNjb250cm9sIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjUzODA5MTE3OTc0MGRhNmEyMjQ4NDc5MWFkYWNmMTU0ZTRmMTE4MmEzNGFmZGExYmY2MTlmYzRlMmU2NWI1MDIifX0seyJuYW1lIjoiZGlzdC9idWlsZF9kYXJ3aW5fYXJtNjRfdjguMC9kbnNjb250cm9sIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImZiZTVlOTQ2NjQ1NzBmNjFlN2RiMjUwMDZlODI5MmIyMzZjNjM3YWMzYWEzNmEzYTYyZjNmMTI4YTlmMGQyMjUifX0seyJuYW1lIjoiZGlzdC9kbnNjb250cm9sXzAuMC4wLXRlc3Qtc2xzYV9mcmVlYnNkX2FybTY0LnRhci5neiIsImRpZ2VzdCI6eyJzaGEyNTYiOiJiYmYwN2NiY2ZjM2I0MTM4N2Y4OTIzNzM1MTI5OTZiYTdlNWI3ZmQxYWY3ZmJkYWVjMmRhNTE4ZmRkM2YzOTVlIn19LHsibmFtZSI6ImRpc3QvZG5zY29udHJvbC0wLjAuMC10ZXN0LXNsc2EuYXJtNjQuZGViIiwiZGlnZXN0Ijp7InNoYTI1NiI6Ijk0MDIxOWFkZjI0ZDUwNDYwNmM1Yjk0MmJiMDVlZDc4NDc1ZmIwNTlkZTQ5MGNmYjZlMzQwNmM1YzE2MDFlNzEifX0seyJuYW1lIjoiZGlzdC9kbnNjb250cm9sXzAuMC4wLXRlc3Qtc2xzYV9mcmVlYnNkX2FtZDY0LnRhci5neiIsImRpZ2VzdCI6eyJzaGEyNTYiOiJhMTY2OGQ5ZWVkZDRiMjY1OWVlYjk4MTZhZTIyOWU2NDI3MGFhYmJlNDI4ZjE5YjA5YjdiODUzODZmOWVjZmU4In19LHsibmFtZSI6ImRpc3QvYnVpbGRfbGludXhfYW1kNjRfdjEvZG5zY29udHJvbCIsImRpZ2VzdCI6eyJzaGEyNTYiOiI2ODU2NWQ5NjM1ZmRlZWFiNzllZTFjODMzZjUyOTRkZTAwYzlhNTYzZGU5MjJkZmFjYzQxNDBiNjNlNDAxNWNkIn19LHsibmFtZSI6ImRpc3QvZG5zY29udHJvbF8wLjAuMC10ZXN0LXNsc2FfZGFyd2luX2FsbC50YXIuZ3oiLCJkaWdlc3QiOnsic2hhMjU2IjoiMjFmMjg0NThkZmZkOTJlOWFhMzE3NDdlMGFkNjM2YmJmNGQ1NmU3MWU5MzhlZGIzM2JjZDFhNmFmM2YyZmU5ZSJ9fSx7Im5hbWUiOiJkaXN0L2Ruc2NvbnRyb2xfMC4wLjAtdGVzdC1zbHNhX2xpbnV4X2FtZDY0LnRhci5neiIsImRpZ2VzdCI6eyJzaGEyNTYiOiI2NmYxNWVlZWZhYzBkZmMzYmJkNDQ5Zjc4OTVjMTVmMjQ3YzQ0NDk4OGExNjBiY2RjODJhMzcxNWRmYzFkMzI2In19LHsibmFtZSI6ImRpc3QvZG5zY29udHJvbC0wLjAuMC10ZXN0LXNsc2EuYW1kNjQuZGViIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjM2OGNkNzg0OWRkN2VkNTg1MjAwMTdjODIzODI1ZDM2ZThlMGNkMDNkYzM3OTJhMjM2MWI0N2NhYjM3MTZlZmEifX0seyJuYW1lIjoiZGlzdC9kbnNjb250cm9sXzAuMC4wLXRlc3Qtc2xzYV9saW51eF9hcm02NC50YXIuZ3oiLCJkaWdlc3QiOnsic2hhMjU2IjoiNTE1MjlhMWUxYzU0MTk5ODg1NGQxYzE0MjgzYWU0ODE1NzlkZTJjMDRhOTQ5YTU4OWEwNTk5MGRhYzg4MjQ0MiJ9fSx7Im5hbWUiOiJkaXN0L2J1aWxkX2xpbnV4X2FybTY0X3Y4LjAvZG5zY29udHJvbCIsImRpZ2VzdCI6eyJzaGEyNTYiOiI1OGMxMTM1YWZiN2EwNjFhMWRmMDAzYmQ2ZWU0Y2MwOWE0NjcwOTM2ZmViZmU5NDQ5NmRiM2M0ZjI2MTE2NWEzIn19LHsibmFtZSI6ImRpc3QvYnVpbGRfZGFyd2luX2FsbC9kbnNjb250cm9sIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImJhYThiMzJjZjE2NDdkYWU4Mjg1ZGQ0ZjU1OTAyOWNhYzBiMjljN2RlZmFiNzc5NDgyYzkxNzg1NDE4NjkzZWYifX1dLCJwcmVkaWNhdGUiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvZ2VuZXJhdG9yX2dlbmVyaWNfc2xzYTMueW1sQHJlZnMvdGFncy92Mi4xLjAifSwiYnVpbGRUeXBlIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci9nZW5lcmljQHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2xAcmVmcy90YWdzL3YwLjAuMC10ZXN0LXNsc2EiLCJkaWdlc3QiOnsic2hhMSI6IjY0M2I4YmU3ZGZhODVlYzk4NGE1MjFjYzE3ZjI1ZGE2YzFkYzBmMTMifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2VfZHJhZnQueW1sIn0sInBhcmFtZXRlcnMiOnsidmFycyI6eyJBWEZSREROU19ETlNTRUNfRE9NQUlOIjoid2l0aC1kbnNzZWMuZG5zY29udHJvbC5pbnRlcm5hbCIsIkFYRlJERE5TX0RPTUFJTiI6IndpdGhvdXQtZG5zc2VjLmRuc2NvbnRyb2wuaW50ZXJuYWwiLCJBWlVSRV9ETlNfRE9NQUlOIjoiZG5zY29udHJvbC1henVyZS5jb20iLCJCSU5EX0RPTUFJTiI6ImV4YW1wbGUuY29tIiwiQ0xPVURGTEFSRUFQSV9ET01BSU4iOiJkbnNjb250cm9sdGVzdC1jZi5jb20iLCJDTlJfRE9NQUlOIjoiZG5zY29udHJvbHRlc3QtY25yLmNvbSIsIkRJR0lUQUxPQ0VBTl9ET01BSU4iOiJkbnNjb250cm9sLWRvLmNvbSIsIkRJU0FCTEVEX1BPV0VSRE5TX0RPTUFJTiI6ImRuc2NvbnRyb2wtZXhhbXBsZS5jb20iLCJHQU5ESV9WNV9ET01BSU4iOiJkbnNjb250cm9sdGVzdC1nYW5kaS5jb20iLCJHQ0xPVURfRE9NQUlOIjoiZG5zY29udHJvbHRlc3QtZ2Nsb3VkLmNvbSIsIkhFRE5TX0RPTUFJTiI6ImRuc2NvbnRyb2wubmV0IiwiSEVYT05FVF9ET01BSU4iOiJ5b2RyZWFtLmNvbSIsIk1ZVEhJQ0JFQVNUU19ET01BSU4iOiJkbnNjb250cm9sdGVzdC1teXRoaWNiZWFzdHMudHV4ZXMudWsiLCJOQU1FRE9UQ09NX0RPTUFJTiI6ImRuc2NvbnRyb2wtbmRjLmNvbSIsIk5TMV9ET01BSU4iOiJkbnNjb250cm9saW50ZWdyYXRpb24uaW8iLCJST1VURTUzX0RPTUFJTiI6ImRuc2NvbnRyb2x0ZXN0LXI1My5jb20iLCJTQUtVUkFDTE9VRF9ET01BSU4iOiJkbnNjb250cm9sdGVzdC1zYWt1cmFjbG91ZC5kbnNiZWVyLmNvbSIsIlRSQU5TSVBfRE9NQUlOIjoiZG5zY29udHJvbC5ubCJ9fSwiZW52aXJvbm1lbnQiOnsiZ2l0aHViX2FjdG9yIjoidGxpbW9uY2VsbGkiLCJnaXRodWJfYWN0b3JfaWQiOiI2MjkzOTE3IiwiZ2l0aHViX2Jhc2VfcmVmIjoiIiwiZ2l0aHViX2V2ZW50X25hbWUiOiJwdXNoIiwiZ2l0aHViX2V2ZW50X3BheWxvYWQiOnsiYWZ0ZXIiOiI2NDNiOGJlN2RmYTg1ZWM5ODRhNTIxY2MxN2YyNWRhNmMxZGMwZjEzIiwiYmFzZV9yZWYiOm51bGwsImJlZm9yZSI6IjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAiLCJjb21taXRzIjpbeyJhdXRob3IiOnsiZW1haWwiOiJlbGloZWFkeUBwbS5tZSIsIm5hbWUiOiJFbGkgSGVhZHkiLCJ1c2VybmFtZSI6ImVsaWhlYWR5In0sImNvbW1pdHRlciI6eyJlbWFpbCI6ImVsaWhlYWR5QHBtLm1lIiwibmFtZSI6IkVsaSBIZWFkeSIsInVzZXJuYW1lIjoiZWxpaGVhZHkifSwiZGlzdGluY3QiOnRydWUsImlkIjoiNjQzYjhiZTdkZmE4NWVjOTg0YTUyMWNjMTdmMjVkYTZjMWRjMGYxMyIsIm1lc3NhZ2UiOiJUaGlzIGFkZHMgU0xTQSBidWlsZCBhdHRlc3RhdGlvbiB0byB0aGUgRE5TQ29udHJvbCByZWxlYXNlIHdvcmtmbG93XG5cbiogYWRkIFNMU0EgZ2VuZXJhdG9yIGNhbGwgYWZ0ZXIgcmVsZWFzZSBzdGVwXG5cbiogYWRkIFNMU0EgaW5mbyBhbmQgdmVyaWZpY2F0aW9uIGRvY1xuXG4qIGFkZCBTTFNBIGJhZGdlIHRvIFJlYWRtZVxuXG4qIEZpeCBhdHRlc3RhdGlvbiBkb2MgZmlsZW5hbWUsIGxpbWl0IGRpZ2VzdCBnZW5lcmF0aW9uIHRvIGZpbGVzIGJlbG93IGRpc3QvIiwidGltZXN0YW1wIjoiMjAyNS0wNS0wNVQxMzoxOTo0NS0wNDowMCIsInRyZWVfaWQiOiIwZjNiZTc4MjA0MzI0MDc5YjRlODRhZmY3MGFjMTc3Zjc3NmZkNDQyIiwidXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9jb21taXQvNjQzYjhiZTdkZmE4NWVjOTg0YTUyMWNjMTdmMjVkYTZjMWRjMGYxMyJ9XSwiY29tcGFyZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvY29tbWl0LzY0M2I4YmU3ZGZhOCIsImNyZWF0ZWQiOnRydWUsImRlbGV0ZWQiOmZhbHNlLCJlbnRlcnByaXNlIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2IvMzU4MT92PTQiLCJjcmVhdGVkX2F0IjoiMjAyMC0wNy0wNlQxNzo1ODoxM1oiLCJkZXNjcmlwdGlvbiI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2VudGVycHJpc2VzL3N0YWNrLW92ZXJmbG93IiwiaWQiOjM1ODEsIm5hbWUiOiJTdGFjayBPdmVyZmxvdyIsIm5vZGVfaWQiOiJNREV3T2tWdWRHVnljSEpwYzJVek5UZ3giLCJzbHVnIjoic3RhY2stb3ZlcmZsb3ciLCJ1cGRhdGVkX2F0IjoiMjAyNS0wNS0wNVQxNzo1MjowMFoiLCJ3ZWJzaXRlX3VybCI6Imh0dHBzOi8vc3RhY2tvdmVyZmxvdy5jb20vIn0sImZvcmNlZCI6ZmFsc2UsImhlYWRfY29tbWl0Ijp7ImF1dGhvciI6eyJlbWFpbCI6ImVsaWhlYWR5QHBtLm1lIiwibmFtZSI6IkVsaSBIZWFkeSIsInVzZXJuYW1lIjoiZWxpaGVhZHkifSwiY29tbWl0dGVyIjp7ImVtYWlsIjoiZWxpaGVhZHlAcG0ubWUiLCJuYW1lIjoiRWxpIEhlYWR5IiwidXNlcm5hbWUiOiJlbGloZWFkeSJ9LCJkaXN0aW5jdCI6dHJ1ZSwiaWQiOiI2NDNiOGJlN2RmYTg1ZWM5ODRhNTIxY2MxN2YyNWRhNmMxZGMwZjEzIiwibWVzc2FnZSI6IlRoaXMgYWRkcyBTTFNBIGJ1aWxkIGF0dGVzdGF0aW9uIHRvIHRoZSBETlNDb250cm9sIHJlbGVhc2Ugd29ya2Zsb3dcblxuKiBhZGQgU0xTQSBnZW5lcmF0b3IgY2FsbCBhZnRlciByZWxlYXNlIHN0ZXBcblxuKiBhZGQgU0xTQSBpbmZvIGFuZCB2ZXJpZmljYXRpb24gZG9jXG5cbiogYWRkIFNMU0EgYmFkZ2UgdG8gUmVhZG1lXG5cbiogRml4IGF0dGVzdGF0aW9uIGRvYyBmaWxlbmFtZSwgbGltaXQgZGlnZXN0IGdlbmVyYXRpb24gdG8gZmlsZXMgYmVsb3cgZGlzdC8iLCJ0aW1lc3RhbXAiOiIyMDI1LTA1LTA1VDEzOjE5OjQ1LTA0OjAwIiwidHJlZV9pZCI6IjBmM2JlNzgyMDQzMjQwNzliNGU4NGFmZjcwYWMxNzdmNzc2ZmQ0NDIiLCJ1cmwiOiJodHRwczovL2dpdGh1Yi5jb20vU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL2NvbW1pdC82NDNiOGJlN2RmYTg1ZWM5ODRhNTIxY2MxN2YyNWRhNmMxZGMwZjEzIn0sIm9yZ2FuaXphdGlvbiI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91LzEzOTMxNzE/dj00IiwiZGVzY3JpcHRpb24iOiIiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL1N0YWNrRXhjaGFuZ2UvZXZlbnRzIiwiaG9va3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL1N0YWNrRXhjaGFuZ2UvaG9va3MiLCJpZCI6MTM5MzE3MSwiaXNzdWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vb3Jncy9TdGFja0V4Y2hhbmdlL2lzc3VlcyIsImxvZ2luIjoiU3RhY2tFeGNoYW5nZSIsIm1lbWJlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL1N0YWNrRXhjaGFuZ2UvbWVtYmVyc3svbWVtYmVyfSIsIm5vZGVfaWQiOiJNREV5T2s5eVoyRnVhWHBoZEdsdmJqRXpPVE14TnpFPSIsInB1YmxpY19tZW1iZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vb3Jncy9TdGFja0V4Y2hhbmdlL3B1YmxpY19tZW1iZXJzey9tZW1iZXJ9IiwicmVwb3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL1N0YWNrRXhjaGFuZ2UvcmVwb3MiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3MvU3RhY2tFeGNoYW5nZSJ9LCJwdXNoZXIiOnsiZW1haWwiOiJ0bGltb25jZWxsaUBzdGFja292ZXJmbG93LmNvbSIsIm5hbWUiOiJ0bGltb25jZWxsaSJ9LCJyZWYiOiJyZWZzL3RhZ3MvdjAuMC4wLXRlc3Qtc2xzYSIsInJlcG9zaXRvcnkiOnsiYWxsb3dfZm9ya2luZyI6dHJ1ZSwiYXJjaGl2ZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC97YXJjaGl2ZV9mb3JtYXR9ey9yZWZ9IiwiYXJjaGl2ZWQiOmZhbHNlLCJhc3NpZ25lZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvYXNzaWduZWVzey91c2VyfSIsImJsb2JzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL2dpdC9ibG9ic3svc2hhfSIsImJyYW5jaGVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL2JyYW5jaGVzey9icmFuY2h9IiwiY2xvbmVfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC5naXQiLCJjb2xsYWJvcmF0b3JzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL2NvbGxhYm9yYXRvcnN7L2NvbGxhYm9yYXRvcn0iLCJjb21tZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9jb21tZW50c3svbnVtYmVyfSIsImNvbW1pdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvY29tbWl0c3svc2hhfSIsImNvbXBhcmVfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvY29tcGFyZS97YmFzZX0uLi57aGVhZH0iLCJjb250ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9jb250ZW50cy97K3BhdGh9IiwiY29udHJpYnV0b3JzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL2NvbnRyaWJ1dG9ycyIsImNyZWF0ZWRfYXQiOjE0NzI1Nzg5NTAsImN1c3RvbV9wcm9wZXJ0aWVzIjp7fSwiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvZGVwbG95bWVudHMiLCJkZXNjcmlwdGlvbiI6IkluZnJhc3RydWN0dXJlIGFzIGNvZGUgZm9yIEROUyEiLCJkaXNhYmxlZCI6ZmFsc2UsImRvd25sb2Fkc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvZXZlbnRzIiwiZm9yayI6ZmFsc2UsImZvcmtzIjo0MzYsImZvcmtzX2NvdW50Ijo0MzYsImZvcmtzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL2ZvcmtzIiwiZnVsbF9uYW1lIjoiU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sIiwiZ2l0X2NvbW1pdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvZ2l0L2NvbW1pdHN7L3NoYX0iLCJnaXRfcmVmc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9naXQvcmVmc3svc2hhfSIsImdpdF90YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL2dpdC90YWdzey9zaGF9IiwiZ2l0X3VybCI6ImdpdDovL2dpdGh1Yi5jb20vU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sLmdpdCIsImhhc19kaXNjdXNzaW9ucyI6dHJ1ZSwiaGFzX2Rvd25sb2FkcyI6dHJ1ZSwiaGFzX2lzc3VlcyI6dHJ1ZSwiaGFzX3BhZ2VzIjp0cnVlLCJoYXNfcHJvamVjdHMiOmZhbHNlLCJoYXNfd2lraSI6ZmFsc2UsImhvbWVwYWdlIjoiaHR0cHM6Ly9kbnNjb250cm9sLm9yZy8iLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9ob29rcyIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbCIsImlkIjo2Njk2MzcxNiwiaXNfdGVtcGxhdGUiOmZhbHNlLCJpc3N1ZV9jb21tZW50X3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL2lzc3Vlcy9jb21tZW50c3svbnVtYmVyfSIsImlzc3VlX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9pc3N1ZXMvZXZlbnRzey9udW1iZXJ9IiwiaXNzdWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL2lzc3Vlc3svbnVtYmVyfSIsImtleXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wva2V5c3sva2V5X2lkfSIsImxhYmVsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9sYWJlbHN7L25hbWV9IiwibGFuZ3VhZ2UiOiJHbyIsImxhbmd1YWdlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9sYW5ndWFnZXMiLCJsaWNlbnNlIjp7ImtleSI6Im1pdCIsIm5hbWUiOiJNSVQgTGljZW5zZSIsIm5vZGVfaWQiOiJNRGM2VEdsalpXNXpaVEV6Iiwic3BkeF9pZCI6Ik1JVCIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vbGljZW5zZXMvbWl0In0sIm1hc3Rlcl9icmFuY2giOiJtYWluIiwibWVyZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvbWlsZXN0b25lc3svbnVtYmVyfSIsIm1pcnJvcl91cmwiOm51bGwsIm5hbWUiOiJkbnNjb250cm9sIiwibm9kZV9pZCI6Ik1ERXdPbEpsY0c5emFYUnZjbmsyTmprMk16Y3hOZz09Iiwibm90aWZpY2F0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9ub3RpZmljYXRpb25zez9zaW5jZSxhbGwscGFydGljaXBhdGluZ30iLCJvcGVuX2lzc3VlcyI6OTYsIm9wZW5faXNzdWVzX2NvdW50Ijo5Niwib3JnYW5pemF0aW9uIjoiU3RhY2tFeGNoYW5nZSIsIm93bmVyIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvMTM5MzE3MT92PTQiLCJlbWFpbCI6bnVsbCwiZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvU3RhY2tFeGNoYW5nZS9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvU3RhY2tFeGNoYW5nZS9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9TdGFja0V4Y2hhbmdlL2ZvbGxvd2luZ3svb3RoZXJfdXNlcn0iLCJnaXN0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL1N0YWNrRXhjaGFuZ2UvZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9TdGFja0V4Y2hhbmdlIiwiaWQiOjEzOTMxNzEsImxvZ2luIjoiU3RhY2tFeGNoYW5nZSIsIm5hbWUiOiJTdGFja0V4Y2hhbmdlIiwibm9kZV9pZCI6Ik1ERXlPazl5WjJGdWFYcGhkR2x2YmpFek9UTXhOekU9Iiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL1N0YWNrRXhjaGFuZ2Uvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL1N0YWNrRXhjaGFuZ2UvcmVjZWl2ZWRfZXZlbnRzIiwicmVwb3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9TdGFja0V4Y2hhbmdlL3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9TdGFja0V4Y2hhbmdlL3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvU3RhY2tFeGNoYW5nZS9zdWJzY3JpcHRpb25zIiwidHlwZSI6Ik9yZ2FuaXphdGlvbiIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvU3RhY2tFeGNoYW5nZSIsInVzZXJfdmlld190eXBlIjoicHVibGljIn0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC9wdWxsc3svbnVtYmVyfSIsInB1c2hlZF9hdCI6MTc0NjQ3MjYxMywicmVsZWFzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvcmVsZWFzZXN7L2lkfSIsInNpemUiOjI2NjAzLCJzc2hfdXJsIjoiZ2l0QGdpdGh1Yi5jb206U3RhY2tFeGNoYW5nZS9kbnNjb250cm9sLmdpdCIsInN0YXJnYXplcnMiOjMzNzMsInN0YXJnYXplcnNfY291bnQiOjMzNzMsInN0YXJnYXplcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvc3RhcmdhemVycyIsInN0YXR1c2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL3N0YXR1c2VzL3tzaGF9Iiwic3Vic2NyaWJlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvc3Vic2NyaWJlcnMiLCJzdWJzY3JpcHRpb25fdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvc3Vic2NyaXB0aW9uIiwic3ZuX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wiLCJ0YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvU3RhY2tFeGNoYW5nZS9kbnNjb250cm9sL3RhZ3MiLCJ0ZWFtc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL1N0YWNrRXhjaGFuZ2UvZG5zY29udHJvbC90ZWFtcyIsInRvcGljcyI6WyJkbnMiLCJkbnNjb250cm9sIiwiZ28iLCJpbmZyYXN0cnVjdHVyZS1hcy1jb2RlIiwid29ya2Zsb3ciXSwidHJlZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wvZ2l0L3RyZWVzey9zaGF9IiwidXBkYXRlZF9hdCI6IjIwMjUtMDUtMDVUMTQ6Mjk6NTBaIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2wiLCJ2aXNpYmlsaXR5IjoicHVibGljIiwid2F0Y2hlcnMiOjMzNzMsIndhdGNoZXJzX2NvdW50IjozMzczLCJ3ZWJfY29tbWl0X3NpZ25vZmZfcmVxdWlyZWQiOmZhbHNlfSwic2VuZGVyIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvNjI5MzkxNz92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy90bGltb25jZWxsaS9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvdGxpbW9uY2VsbGkvZm9sbG93ZXJzIiwiZm9sbG93aW5nX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvdGxpbW9uY2VsbGkvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvdGxpbW9uY2VsbGkvZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS90bGltb25jZWxsaSIsImlkIjo2MjkzOTE3LCJsb2dpbiI6InRsaW1vbmNlbGxpIiwibm9kZV9pZCI6Ik1EUTZWWE5sY2pZeU9UTTVNVGM9Iiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3RsaW1vbmNlbGxpL29yZ3MiLCJyZWNlaXZlZF9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy90bGltb25jZWxsaS9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3RsaW1vbmNlbGxpL3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy90bGltb25jZWxsaS9zdGFycmVkey9vd25lcn17L3JlcG99Iiwic3Vic2NyaXB0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3RsaW1vbmNlbGxpL3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvdGxpbW9uY2VsbGkiLCJ1c2VyX3ZpZXdfdHlwZSI6InB1YmxpYyJ9fSwiZ2l0aHViX2hlYWRfcmVmIjoiIiwiZ2l0aHViX3JlZiI6InJlZnMvdGFncy92MC4wLjAtdGVzdC1zbHNhIiwiZ2l0aHViX3JlZl90eXBlIjoidGFnIiwiZ2l0aHViX3JlcG9zaXRvcnlfaWQiOiI2Njk2MzcxNiIsImdpdGh1Yl9yZXBvc2l0b3J5X293bmVyIjoiU3RhY2tFeGNoYW5nZSIsImdpdGh1Yl9yZXBvc2l0b3J5X293bmVyX2lkIjoiMTM5MzE3MSIsImdpdGh1Yl9ydW5fYXR0ZW1wdCI6IjEiLCJnaXRodWJfcnVuX2lkIjoiMTQ4NDQzNTEzODEiLCJnaXRodWJfcnVuX251bWJlciI6IjQwIiwiZ2l0aHViX3NoYTEiOiI2NDNiOGJlN2RmYTg1ZWM5ODRhNTIxY2MxN2YyNWRhNmMxZGMwZjEzIn19LCJtZXRhZGF0YSI6eyJidWlsZEludm9jYXRpb25JRCI6IjE0ODQ0MzUxMzgxLTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6dHJ1ZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9TdGFja0V4Y2hhbmdlL2Ruc2NvbnRyb2xAcmVmcy90YWdzL3YwLjAuMC10ZXN0LXNsc2EiLCJkaWdlc3QiOnsic2hhMSI6IjY0M2I4YmU3ZGZhODVlYzk4NGE1MjFjYzE3ZjI1ZGE2YzFkYzBmMTMifX1dfX0=",
    "payloadType": "application/vnd.in-toto+json",
    "signatures": [
      {
        "sig": "MEUCIQDPI4u/4ZaX1QrE0XZIHH5WDkSQvsr1VZOHf1QCz23vBQIgS9zW5NMkctY5mzMn8Q4/Qm6KtxcsK1NKGqng0B0HJ4g="
      }
    ]
  }
}

@eliheady
Copy link
Contributor Author

eliheady commented May 5, 2025

Hm. A separate release is not the intention. I have reproduced it though, and I'm afraid I just missed that it does this: in my testing I was not consistently deleting the draft releases and it seems the called workflow can reuse a release under some circumstances (that I can't characterize further at the moment). This is obviously not ready for inclusion in the project. I will do some research on this problem.

@eliheady eliheady marked this pull request as draft May 5, 2025 20:31
@tlimoncelli
Copy link
Contributor

Sounds good!

@eliheady
Copy link
Contributor Author

minor update ... I have been working on a different approach using the GitHub attest-build-provenance action, which is also SLSA level 3 compliant if implemented with a reusable workflow.

I think the SLSA builder approach in this current PR is going to be more challenging to implement correctly and has more potential to break. Both goreleaser and the SLSA framework project generator-generic-slsa3.yml create releases, making the duplicate release issue more likely.

The GitHub provenance generator might be a better long-term solution anyway because it is integrated with the GitHub platform. There is not much different for consumers of the attestations (use gh instead of slsa-verifier for local verification).

@eliheady
Copy link
Contributor Author

eliheady commented Jun 5, 2025

I'll be unable to work on DNSControl until sometime later this Summer, so I am going to close this. I don't want to discourage anyone else that wants to take it up in the meantime.

@eliheady eliheady closed this Jun 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eliheady @tlimoncelli