Define intoto v1.0 statement type

[chuangw6]

As discussed in slsa-framework/slsa#918, SLSA v1 predicate is supposed to be wrapped in intoto v1.0 statement.

Therefore, I suppose there should be a const defined for intoto v1.0 statement type i.e. StatementInTotoV10, but there appears to be none.

in-toto-golang/in_toto/attestations.go

Lines 10 to 22 in 8a5dc9e

	const (
	// StatementInTotoV01 is the statement type for the generalized link format
	// containing statements. This is constant for all predicate types.
	StatementInTotoV01 = "https://in-toto.io/Statement/v0.1"
	// PredicateSPDX represents a SBOM using the SPDX standard.
	// The SPDX mandates 'spdxVersion' field, so predicate type can omit
	// version.
	PredicateSPDX = "https://spdx.dev/Document"
	// PredicateCycloneDX represents a CycloneDX SBOM
	PredicateCycloneDX = "https://cyclonedx.org/bom"
	// PredicateLinkV1 represents an in-toto 0.9 link.
	PredicateLinkV1 = "https://in-toto.io/Link/v1"
	)

[chuangw6]

cc @adityasaky @marcelamelara

[marcelamelara]

@chuangw6 Thanks for this issue! We've been discussing that this should be addressed as part of a larger effort to transition in-toto-golang towards the Go implementation of attestations, which includes this const (and would also address #260). Do you have the availability to work on importing the new attestation library yourself?

[adityasaky]

I think this isn't fully resolved until we pull in pb layers?

[pxp928]

Yes, seems to have auto-completed via #267

[marcelamelara]

My interpretation of this issue is that @chuangw6 was only looking for const definition for the statement type. But I agree that the ultimate goal is to be able to generate predicates/statements from the pbs. I should have some cycles to work on that this week.

[chuangw6]

My interpretation of this issue is that @chuangw6 was only looking for const definition for the statement type.

Yes, that's the intention of this ticket.

I should have some cycles to work on that this week.

Thank you @marcelamelara for taking care of this. Sorry for the delay. I recently transferred teams and got quite busy with handoff and onboarding, and in future I will be no longer working on open source projects. Someone else from Tekton side will be communicating with in-toto on the topic of attestation in future.

Thank again!