From 510bfa01b9cef8f4a58ab42d271f6e6ec099fb91 Mon Sep 17 00:00:00 2001 From: Mathias Beaulieu-Duncan Date: Mon, 2 Feb 2026 10:21:39 -0500 Subject: [PATCH] Fix provenance: pass only predicate to cosign, not full in-toto statement cosign attest --type slsaprovenance expects the predicate JSON only (builder, buildType, invocation, metadata). It wraps it in the in-toto statement envelope itself. Passing the full statement caused cosign to look for builder at the wrong nesting level. Ref: https://github.com/sigstore/cosign/issues/3757 Co-Authored-By: Claude Opus 4.5 --- .gitea/workflows/publish.yaml | 26 ++++++++------------------ .gitea/workflows/rebuild.yaml | 26 ++++++++------------------ .gitea/workflows/update-check.yaml | 26 ++++++++------------------ 3 files changed, 24 insertions(+), 54 deletions(-) diff --git a/.gitea/workflows/publish.yaml b/.gitea/workflows/publish.yaml index 7173023..905d800 100644 --- a/.gitea/workflows/publish.yaml +++ b/.gitea/workflows/publish.yaml @@ -150,12 +150,7 @@ jobs: COSIGN_YES: "true" run: | IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" - DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://') jq -n \ - --arg type "https://in-toto.io/Statement/v0.1" \ - --arg predType "https://slsa.dev/provenance/v0.2" \ - --arg name "${{ steps.publish.outputs.image_versioned }}" \ - --arg sha "$DIGEST_SHA" \ --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ --arg buildType "https://apko.dev/build/v1" \ --arg uri "${{ github.server_url }}/${{ github.repository }}" \ @@ -163,19 +158,14 @@ jobs: --arg entry "${{ matrix.config }}" \ --arg runId "${{ github.run_id }}" \ '{ - "_type": $type, - "predicateType": $predType, - "subject": [{"name": $name, "digest": {"sha256": $sha}}], - "predicate": { - "builder": {"id": $builder}, - "buildType": $buildType, - "invocation": { - "configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry} - }, - "metadata": { - "buildInvocationID": $runId, - "completeness": {"parameters": true, "environment": true, "materials": true} - } + "builder": {"id": $builder}, + "buildType": $buildType, + "invocation": { + "configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry} + }, + "metadata": { + "buildInvocationID": $runId, + "completeness": {"parameters": true, "environment": true, "materials": true} } }' > /tmp/provenance.json cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}" diff --git a/.gitea/workflows/rebuild.yaml b/.gitea/workflows/rebuild.yaml index 01ba040..f22cf36 100644 --- a/.gitea/workflows/rebuild.yaml +++ b/.gitea/workflows/rebuild.yaml @@ -149,12 +149,7 @@ jobs: COSIGN_YES: "true" run: | IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" - DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://') jq -n \ - --arg type "https://in-toto.io/Statement/v0.1" \ - --arg predType "https://slsa.dev/provenance/v0.2" \ - --arg name "${{ steps.publish.outputs.image_versioned }}" \ - --arg sha "$DIGEST_SHA" \ --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ --arg buildType "https://apko.dev/build/v1" \ --arg uri "${{ github.server_url }}/${{ github.repository }}" \ @@ -162,19 +157,14 @@ jobs: --arg entry "${{ matrix.config }}" \ --arg runId "${{ github.run_id }}" \ '{ - "_type": $type, - "predicateType": $predType, - "subject": [{"name": $name, "digest": {"sha256": $sha}}], - "predicate": { - "builder": {"id": $builder}, - "buildType": $buildType, - "invocation": { - "configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry} - }, - "metadata": { - "buildInvocationID": $runId, - "completeness": {"parameters": true, "environment": true, "materials": true} - } + "builder": {"id": $builder}, + "buildType": $buildType, + "invocation": { + "configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry} + }, + "metadata": { + "buildInvocationID": $runId, + "completeness": {"parameters": true, "environment": true, "materials": true} } }' > /tmp/provenance.json cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}" diff --git a/.gitea/workflows/update-check.yaml b/.gitea/workflows/update-check.yaml index 8f2ee16..be0105f 100644 --- a/.gitea/workflows/update-check.yaml +++ b/.gitea/workflows/update-check.yaml @@ -231,12 +231,7 @@ jobs: COSIGN_YES: "true" run: | IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" - DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://') jq -n \ - --arg type "https://in-toto.io/Statement/v0.1" \ - --arg predType "https://slsa.dev/provenance/v0.2" \ - --arg name "${{ steps.publish.outputs.image_versioned }}" \ - --arg sha "$DIGEST_SHA" \ --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ --arg buildType "https://apko.dev/build/v1" \ --arg uri "${{ github.server_url }}/${{ github.repository }}" \ @@ -244,19 +239,14 @@ jobs: --arg entry "${{ matrix.config }}" \ --arg runId "${{ github.run_id }}" \ '{ - "_type": $type, - "predicateType": $predType, - "subject": [{"name": $name, "digest": {"sha256": $sha}}], - "predicate": { - "builder": {"id": $builder}, - "buildType": $buildType, - "invocation": { - "configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry} - }, - "metadata": { - "buildInvocationID": $runId, - "completeness": {"parameters": true, "environment": true, "materials": true} - } + "builder": {"id": $builder}, + "buildType": $buildType, + "invocation": { + "configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry} + }, + "metadata": { + "buildInvocationID": $runId, + "completeness": {"parameters": true, "environment": true, "materials": true} } }' > /tmp/provenance.json cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"