Closed
Description
We recently upgraded our dependency from github.com/in-toto/in-toto-golang/in_toto to github.com/in-toto/attestation/go/v1 . While migrating, we encountered a breaking change related to the predicateType field in the Statement struct.
In the previous version (github.com/in-toto/in-toto-golang/in_toto), the StatementHeader struct was defined as:
type StatementHeader struct {
Type string `json:"_type"`
PredicateType string `json:"predicateType"`
Subject []Subject `json:"subject"`
}In the new version github.com/in-toto/attestation/go/v1, the Statement struct is defined as:
type Statement struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Type string `protobuf:"bytes,1,opt,name=type,json=_type,proto3" json:"type,omitempty"`
Subject []*ResourceDescriptor `protobuf:"bytes,2,rep,name=subject,proto3" json:"subject,omitempty"`
PredicateType string `protobuf:"bytes,3,opt,name=predicate_type,json=predicateType,proto3" json:"predicate_type,omitempty"`
Predicate *structpb.Struct `protobuf:"bytes,4,opt,name=predicate,proto3" json:"predicate,omitempty"`
}With this when we try to run the cosign verification command it throws an error as
osign verify-blob-attestation --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets --signature sig --type slsaprovenance --check-claims=false /dev/null
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob attestation.
Error: invalid predicate type, expected slsaprovenance got
main.go:74: error during command execution: invalid predicate type, expected slsaprovenance got Because the payload has predicate_type instead of predicateType
Reference links for chains update - https://github.com/tektoncd/chains/pull/1111/files#diff-44a01d12a6c7c8d0b69c0e0c1773b23312d82ee4de20166c37f75a66823a026fL3
Metadata
Metadata
Assignees
Labels
No labels