Sigstore Bundle
October 31, 2024
Version 0.3.2
This document describes the data structure for storing Sigstore signatures generated by tooling
working in the context of the Sigstore Public Instance. It includes json examples of
serialized bundles of the current bundle format version. It may exclude descriptions of parameters
that continue to exist for compatibility reasons or for private use cases. For a full description of
the format, the formal schema and information about language library support see
sigstore/protobuf-specs.
Bundle
A Sigstore bundle is everything required to verify a signature on an artifact. This is satisfied by the Verification Material and signature Content.
Verification Material
This is key material used to verify signatures along with supporting metadata like transparency log entries and timestamps. When using short lived Fulcio certificates where verification may occur after the certificate has expired, bundles must include at least one transparency log’s signed entry timestamp or an RFC3161 timestamp to provide proof that signing occured during the ceritificates validity window.
Key Material
X.509 certificate
A single X.509 leaf certificate conveying the signing key and containing extensions
for identities consumed at verification time. This is the recommended "verificationMaterial" type
for use with the public Sigstore infrastructure.
"verificationMaterial": {
"certificate": {
"rawBytes": "<Base64(DER bytes)>"
}
}
Public Key Identifier
A hint to identify an out of band delivered key to verify a signature. Like traditional PKI key distribution the format of the hint must be agreed upon out of band by the signer and the verifiers. The key itself is not embedded in the Sigstore bundle.
"verificationMaterial": {
"publicKeyIdentifier": {
"hint": "<HINT>"
}
}
Transparency Log Entries
Transparency Log entries can provide proof that a signing event was written to a public log. They are not required by the spec but inclusion of one or more transparency log entries is highly encouraged for bundles subject to public consumption. The embedded signed entry timestamp may be used to validate signing occurred during ceritificate validity.
"verificationMaterial": {
"tlogEntries": [
{
"logIndex": "<GLOBAL_LOG_INDEX>",
"logId": {
"keyId": "<KEY_ID>",
},
"kindVersion": {
"kind": "(hashrekord | dsse)",
"version": "<VERSION>"
},
"integratedTime": "<UNIX_TIMESTAMP>",
"inclusionPromise": {
"signedEntryTimestamp": "<Base64(SET bytes)>"
},
"inclusionProof": {
"logIndex": "<TREE_INDEX>",
"rootHash": "<Base64(HASH)>",
"treeSize": "<TREE_SIZE>",
"hashes": [
"<Base64(HASH)>",
"<Base64(HASH)>",
"<Base64(HASH)>"
],
"checkpoint": {
"envelope": "<TLOG CHECKPOINT SIGNED NOTE>"
}
},
"canonicalizedBody": "<Base64(JSON)>"
},
]
}
Timestamp
Zero or more RFC3161 timestamps to validate signing occurred during ceritificate validity.
"verificationMaterial": {
"timestampVerificationData": {
"rfc3161Timestamps": [
{
"signedTimestamp": "<Base64(RFC3161 TIMESTAMP)>"
},
]
}
}
Content
This is the signature data for which the Verification Material is defined over. It must be one of Message Signature over an artifact hash or a DSSE envelope for attestations.
Message Signature
This is a computed signature over a message (typically an arifact hash). It may contain a
message_digest for informational purposes, but it must be provided or computed from a provided
artifact at verification time.
"messageSignature": {
"messageDigest": {
"algorithm": "<HASH ALGORITHM>",
"digest": "<Base64(DIGEST)>"
},
"signature": "<Base64(SIGNATURE)>"
}
DSSE
A DSSE envelope can contain arbitrary payloads. Currently Sigstore clients only process the
payload type "application/vnd.in-toto+json". Verifiers must verify that the payload type is a
supported and expected type. DSSE envelopes contained in a Sigstore Bundle must only contain a
single signature (the DSSE spec allows multiple).
"dsseEnvelope": {
{
"payload": "<Base64(JSON_PAYLOAD)>",
"payloadType": "application/vnd.in-toto+json",
"signatures": [{
"keyid": "<KEY_ID>",
"sig": "<Base64(SIGNATURE)>"
}]
}
}
Examples
Here are some example bundles from the Sigstore public infrastructure.
Message Signature Bundle
Bundle with Message Signature over an artifact (sigstore-java-1.0.0.jar). This example includes a single transparency log entry with a signed entry timestamp for signing time verification.
{
"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"verificationMaterial": {
"tlogEntries": [{
"logIndex": "125680200",
"logId": {
"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
},
"kindVersion": {
"kind": "hashedrekord",
"version": "0.0.1"
},
"integratedTime": "1724870676",
"inclusionPromise": {
"signedEntryTimestamp": "MEYCIQCAKWrmj0LZ77rfiMXEat9gCCJxX4pgQfZqNc+tvF7gaAIhAJFtyypsWCbLDJ+NAMzPoY1AkQ1inhhQ3pZC5PaBCI8C"
},
"inclusionProof": {
"logIndex": "3775938",
"rootHash": "nEpjeg/gaT1EOcKQAr3q/XGdnuKzLsf4UhgZrwtTU+8=",
"treeSize": "3775939",
"hashes": ["vNwG4wbIsTeCSn9JageqhtCb6VvgYEKSw3Xro8zMF3s=", "3Cue+tnRytahmzjIHIig4/fKMN9WAQmi/8g4Fdk6+8k=", "2EvX4swCFD/LILwJKa300/8gGp/NrdPRJmS5xD5vTKE=", "7hEYrEVIERVjsDqdu600HLZ8gNcv7a45T2PI6RSmuzQ=", "Uh7WsOJYvurV8PIbjfhlLyW+CP+/HENUKB4tooMfNZo=", "Qs+LtoqLx2sFhSJUuUlbJs13xTJzH7lVPpEKpXBZyvI=", "kM4w7ZLh5iktz4xR9ECXn9elEJIaqockScafEFL7ieY=", "LomN2mlfw+qbbFGvCNfr3vCBrZ4EU/lqnL4TO0yc9Zw=", "22569ZiSqZcajfTf9Ct4LFEWDtLlHeaTpoPCFqeZtWQ=", "QxmVWsbTp4cClxuAkuT51UH2EY7peHMVGKq7+b+cGwQ=", "Q2LAtNzOUh+3PfwfMyNxYb06fTQmF3VeTT6Fr6Upvfc=", "ftwAu6v62WFDoDmcZ1JKfrRPrvuiIw5v3BvRsgQj7N8="],
"checkpoint": {
"envelope": "rekor.sigstore.dev - 1193050959916656506\n3775939\nnEpjeg/gaT1EOcKQAr3q/XGdnuKzLsf4UhgZrwtTU+8\u003d\n\n— rekor.sigstore.dev wNI9ajBEAiA/TrOctVDd1vjn/IrzCU8Fm7mhUlJ2FN739iGpqMomHgIgRwwqXaijp0RRTgyRxYUsCZ6LFvewTTEyaPmO4vHKqgk\u003d\n"
}
},
"canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1YmUyNmYxNzc3YTM1MWEyZjc3MGU5MWRiY2VhZTBhYWEzZjZlMjZlOGFkMjE4YzZhYzE2Y2FhNzgzYTVhYTBkIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQWxWTTlHR0VGV2dXYjJzdCtHRVlVVUphTXhGZXYxYlc2TVRzV2RnYks1YkFpRUFvWFhKTlFBQ1JGNG82OEx0V0dvVFdKZWVzekRrRXZlUWthOFQ2KzhYeTRBPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVaGFSRU5EUW5WeFowRjNTVUpCWjBsVlFVOTVWMWswTUdOdVJXbHNWMnhPYm1GVlJtaEdZMmR0YURoemQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDlFU1RSTlZHY3dUa1JOTUZkb1kwNU5hbEYzVDBSSk5FMVVaekZPUkUwd1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZRYkdwbFpuWmpibXd4YVhaQmF6RlJRalZFZG5Nd1VYVm1iRWRxUmxObFYxUlFMMDhLZEcxaE4yNXlRMVJZUjFGMFVXZEVTVzVLVTFKeFRWTTNWRE4yWjJ0MlpYTXlVMUUyWkVGR2JXeDBURWxYWjBsS2R6WlBRMEpuYTNkbloxbEdUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZRZDNGa0NtTlhaMjlHYjJadWJsTmtWekJ3U0hkclJtaHZhMUJOZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJabldVUldVakJTUVZGSUwwSklVWGRqYjFwM1lVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROT2NGb3pUakJpTTBwc1RETk9jQXBhTTA0d1lqTktiRXhYY0doa2JVVjJURzFrY0dSSGFERlphVGt6WWpOS2NscHRlSFprTTAxMlkyMVdjMXBYUm5wYVV6RjZZVmRrZW1SSE9YbGFVekZ4Q2xsWVdtaE1WMXA1WWpJd2RHUkhSbTVNYm14b1lsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYaE1ha0YxVFVSQk5VSm5iM0pDWjBWRlFWbFBMMDFCUlVJS1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG14amJVNTJZbTVTYkdKdVVYVlpNamwwVFVJNFJ3cERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkbU50ZEcxaVJ6a3pXREpTY0dNelFtaGtSMDV2VFVSWlIwTnBjMGRCVVZGQ1p6YzRkMEZSVFVWTFIxRjVDazVxUVhwTmVsRXdXVlJyZWs1VVpHcFphbU42VFZSUmVWa3lTVEpPVjA1b1dtcFdiVTE2Ykd0YVIwa3dUV3BuZWs5VVZYZFVaMWxMUzNkWlFrSkJSMFFLZG5wQlFrSkJVa0ZWYlZaeldsZEdlbHBUUW5waFYyUjZaRWM1ZVZwVE1YRlpXRnBvU1VkR2RWcERRbnBoVjJSNlpFYzVlVnBUTVhSWldGcHNZbWt4ZHdwaVNGWnVZVmMwWjJSSE9HZFVWMFl5V2xjMFoxRXlWblZrU0Vwb1lrUkJhMEpuYjNKQ1owVkZRVmxQTDAxQlJVWkNRbHA2WVZka2VtUkhPWGxhVXpsNkNtRlhaSHBrUnpsNVdsTXhjVmxZV21oTlFqUkhRMmx6UjBGUlVVSm5OemgzUVZGWlJVVklTbXhhYmsxMlpFZEdibU41T1RKTlV6UjNUR3BCZDA5M1dVc0tTM2RaUWtKQlIwUjJla0ZDUTBGUmRFUkRkRzlrU0ZKM1kzcHZka3d6VW5aaE1sWjFURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kZ3BpYmxKc1ltNVJkVmt5T1hSTlNVZEJRbWR2Y2tKblJVVkJXVTh2VFVGRlNrSklTVTFqUjJnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw2Q21GWFpIcGtSemw1V2xNNWVtRlhaSHBrUnpsNVdsTXhjVmxZV21oTWVUVnVZVmhTYjJSWFNYWmtNamw1WVRKYWMySXpaSHBNTTBwc1lrZFdhR015VlhRS1l6SnNibU16VW5aamJWVjBZVzFHTWxsVE1XMWpiVGwwVEZoU2FGcDVOVFZaVnpGelVVaEtiRnB1VFhaa1IwWnVZM2s1TWsxVE5IZE1ha0YzVDBGWlN3cExkMWxDUWtGSFJIWjZRVUpEWjFGeFJFTm9hMDFxV1hkTmVrMHdUa2RGTlUxNlZUTlpNa2t6VFhwRk1FMXRUbWxPYWxacVdWZFpNVnBxVFRWYVIxSnBDazVFU1RSTmVtc3hUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJjMFZFZDNkT1dqSnNNR0ZJVm1sTVYyaDJZek5TYkZwRVFUVkNaMjl5UW1kRlJVRlpUeThLVFVGRlRVSkRjMDFMVjJnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw2WVZka2VtUkhPWGxhVXpsNllWZGtlbVJIT1hsYVV6RnhXVmhhYUFwTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZFd1JVdG5kMjlhUkVreVRVUk5lazVFVW1oUFZFMHhUakpPYVU1NlRYaE9SRXBxV1dwWk1Wa3lSbTFPVjFsNkNrOVhVbXRaYWxGNVQwUk5OVTVVUVdkQ1oyOXlRbWRGUlVGWlR5OU5RVVZQUWtKSlRVVklTbXhhYmsxMlpFZEdibU41T1RKTlV6UjNUR3BCZDBkUldVc0tTM2RaUWtKQlIwUjJla0ZDUkhkUlRFUkJhekJPYWtGNFQwUlJNMDFFWjNkTGQxbExTM2RaUWtKQlIwUjJla0ZDUlVGUlpFUkNkRzlrU0ZKM1kzcHZkZ3BNTW1Sd1pFZG9NVmxwTldwaU1qQjJZekpzYm1NelVuWmpiVlYzUjBGWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVV0RVFXY3pUVlJCTlU1cVRURk5la05DQ21kQldVdExkMWxDUWtGSFJIWjZRVUpGWjFKNVJFaENiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkbU15Ykc0S1l6TlNkbU50VlhSaGJVWXlXVk00ZFZveWJEQmhTRlpwVEROa2RtTnRkRzFpUnprelkzazVlVnBYZUd4WldFNXNURmhPY0ZvelRqQmlNMHBzVEZkd2FBcGtiVVYwV201S2RtSlRNVEJaVjJOMVpWZEdkR0pGUW5sYVYxcDZURE5TYUZvelRYWmtha1YxVFVNMGQwMUVaMGREYVhOSFFWRlJRbWMzT0hkQlVrMUZDa3RuZDI5YVJFa3lUVVJOZWs1RVVtaFBWRTB4VGpKT2FVNTZUWGhPUkVwcVdXcFpNVmt5Um0xT1YxbDZUMWRTYTFscVVYbFBSRTAxVGxSQmFFSm5iM0lLUW1kRlJVRlpUeTlOUVVWVlFrSk5UVVZZWkhaamJYUnRZa2M1TTFneVVuQmpNMEpvWkVkT2IwMUdNRWREYVhOSFFWRlJRbWMzT0hkQlVsVkZWSGQ0VGdwaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WM0JvWkcxRmRsbFhUakJoVnpsMUNtTjVPWGxrVnpWNlRIcEZkMDVxUVhsT1JGRXlUMVJGTUV3eVJqQmtSMVowWTBoU2VreDZSWGRHWjFsTFMzZFpRa0pCUjBSMmVrRkNSbWRSU1VSQlduY0taRmRLYzJGWFRYZG5XVzlIUTJselIwRlJVVUl4Ym10RFFrRkpSV1pCVWpaQlNHZEJaR2RFWkZCVVFuRjRjMk5TVFcxTldraG9lVnBhZW1ORGIydHdaUXAxVGpRNGNtWXJTR2x1UzBGTWVXNTFhbWRCUVVGYVIyRlVZMjA0UVVGQlJVRjNRa2hOUlZWRFNVaFhiVkpGYVhZNVRrbHlUbnBDTkhoMFVVSkRaa1pUQ25waVNUY3paREV4VlVvMVVUQnRORlJHVlZvMFFXbEZRVGMwTW1WQ2RsaG1hVXhrVFN0dksyOUlZbVJ6UjJsTEwzcHBjMXAyZUV4c2IzQmhTRXQ1U0NzS1ZrRlpkME5uV1VsTGIxcEplbW93UlVGM1RVUmhRVUYzV2xGSmVFRkxjRzVXYUc5dFluUmlSV1YyVFVsU1MyVmlXWEphVm1NMFlsUmlZVmxyYUVOMVNBcDVMMmRVWW00cmFXeHVSWEphY1hsNlVGQkNkWEYzZEc1c1NHZDBiMUZKZDBVMmJGTnBSbE52VmtsblIwNWpXVVIxUWxWRmNIbFZhR2xGV0VodE5UVkhDbEp2YnpneVRYSmpNMlIzV0dkR1FqRk1LM1l2Y1ZwSFpFOWtVazFtY2k5aENpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"
}],
"certificate": {
"rawBytes": "MIIHZDCCBuqgAwIBAgIUAOyWY40cnEilWlNnaUFhFcgmh8swCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwODI4MTg0NDM0WhcNMjQwODI4MTg1NDM0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPljefvcnl1ivAk1QB5Dvs0QuflGjFSeWTP/Otma7nrCTXGQtQgDInJSRqMS7T3vgkves2SQ6dAFmltLIWgIJw6OCBgkwggYFMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUPwqdcWgoFofnnSdW0pHwkFhokPMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wfgYDVR0RAQH/BHQwcoZwaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWphdmEvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS1zaWdzdG9yZS1qYXZhLWZyb20tdGFnLnlhbWxAcmVmcy90YWdzL3YxLjAuMDA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKGQyNjAzMzQ0YTkzNTdjYjczMTQyY2I2NWNhZjVmMzlkZGI0MjgzOTUwTgYKKwYBBAGDvzABBARAUmVsZWFzZSBzaWdzdG9yZS1qYXZhIGFuZCBzaWdzdG9yZS1tYXZlbi1wbHVnaW4gdG8gTWF2ZW4gQ2VudHJhbDAkBgorBgEEAYO/MAEFBBZzaWdzdG9yZS9zaWdzdG9yZS1qYXZhMB4GCisGAQQBg78wAQYEEHJlZnMvdGFncy92MS4wLjAwOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIGABgorBgEEAYO/MAEJBHIMcGh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qYXZhLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2Utc2lnc3RvcmUtamF2YS1mcm9tLXRhZy55YW1sQHJlZnMvdGFncy92MS4wLjAwOAYKKwYBBAGDvzABCgQqDChkMjYwMzM0NGE5MzU3Y2I3MzE0MmNiNjVjYWY1ZjM5ZGRiNDI4Mzk1MB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDA5BgorBgEEAYO/MAEMBCsMKWh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qYXZhMDgGCisGAQQBg78wAQ0EKgwoZDI2MDMzNDRhOTM1N2NiNzMxNDJjYjY1Y2FmNWYzOWRkYjQyODM5NTAgBgorBgEEAYO/MAEOBBIMEHJlZnMvdGFncy92MS4wLjAwGQYKKwYBBAGDvzABDwQLDAk0NjAxODQ3MDgwKwYKKwYBBAGDvzABEAQdDBtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUwGAYKKwYBBAGDvzABEQQKDAg3MTA5NjM1MzCBgAYKKwYBBAGDvzABEgRyDHBodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtamF2YS8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLXNpZ3N0b3JlLWphdmEtZnJvbS10YWcueWFtbEByZWZzL3RhZ3MvdjEuMC4wMDgGCisGAQQBg78wARMEKgwoZDI2MDMzNDRhOTM1N2NiNzMxNDJjYjY1Y2FmNWYzOWRkYjQyODM5NTAhBgorBgEEAYO/MAEUBBMMEXdvcmtmbG93X2Rpc3BhdGNoMF0GCisGAQQBg78wARUETwxNaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWphdmEvYWN0aW9ucy9ydW5zLzEwNjAyNDQ2OTE0L2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAZGaTcm8AAAEAwBHMEUCIHWmREiv9NIrNzB4xtQBCfFSzbI73d11UJ5Q0m4TFUZ4AiEA742eBvXfiLdM+o+oHbdsGiK/zisZvxLlopaHKyH+VAYwCgYIKoZIzj0EAwMDaAAwZQIxAKpnVhombtbEevMIRKebYrZVc4bTbaYkhCuHy/gTbn+ilnErZqyzPPBuqwtnlHgtoQIwE6lSiFSoVIgGNcYDuBUEpyUhiEXHm55GRoo82Mrc3dwXgFB1L+v/qZGdOdRMfr/a"
}
},
"messageSignature": {
"messageDigest": {
"algorithm": "SHA2_256",
"digest": "W+JvF3ejUaL3cOkdvOrgqqP24m6K0hjGrBbKp4Olqg0="
},
"signature": "MEUCIAlVM9GGEFWgWb2st+GEYUUJaMxFev1bW6MTsWdgbK5bAiEAoXXJNQACRF4o68LtWGoTWJeeszDkEveQka8T6+8Xy4A="
}
}
DSSE Bundle
Bundle with DSSE Envelope over a provenance attestation. This example includes a transparency log entry and an rfc3161 timestamp.
{
"mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.2",
"verificationMaterial": {
"x509CertificateChain": {
"certificates": [
{
"rawBytes": "MIIDNDCCAtqgAwIBAgIEERggBDAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0yMzAyMDEwMDAwMDBaFw0yMzAyMDEwMDEwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3rsXlKKGObv+Z08sAjs0tyxlzSTKkaFRiy7vjZaFMRQOZ76QKwGFefLkeGwuafSKyLbzhjIghOrUzjS+WFAMHo4ICFTCCAhEwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIGlBgNVHREBAf8EgZowgZeGgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMB0GA1UdDgQWBBTnwHeBmPc9IrZmBemOaHy4lwv7KDAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTCBiQYKKwYBBAHWeQIEAgR7BHkAdwB1APcmyqNBF7qRZUSvNzTpIM1MSS73XOYij9wE7v8vPyfdAAABhgpF7AAAAAQDAEYwRAIgORF50hYRIFl2Hgc0vOJfpMjU8gY7BtGfz0oZePlxG4gCIDl6SXQe1+96ENWqM6+5wxbIUgHL8T3+no43cyuEAe+NMAoGCCqGSM49BAMDA0gAMEUCICqL+qLpRbTPXn6Ri/VId0ejKBNE/B1pm91uOye/COmVAiEAnkRk1n/fPy8cGs6+i+q7bMMl+X2Cm51odIrMI9PbjMw="
}
]
},
"tlogEntries": [
{
"logIndex": "4288993",
"logId": {
"keyId": "9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90="
},
"kindVersion": {
"kind": "intoto",
"version": "0.0.2"
},
"integratedTime": "1675209600",
"inclusionPromise": {
"signedEntryTimestamp": "MEQCIGkdiEwwfehfHGLM0qerjqUifnolYl8guuPHdBGUl2kSAiBeo/KfkIKVsCXAbn9hnsUhXSewAsAzfDGdIHsuloSpLw=="
},
"inclusionProof": {
"logIndex": "0",
"rootHash": "pc42iecujVMfPva3JcoWyQU9W6llYb+A2LsgE2O5pg0=",
"treeSize": "1",
"hashes": [],
"checkpoint": {
"envelope": "localhost:8000 - 124190645164477\n1\npc42iecujVMfPva3JcoWyQU9W6llYb+A2LsgE2O5pg0=\nTimestamp: 1675209600000000000\n\n— localhost:8000 9ybKozBGAiEAkhPYcKegqWJbVTaEYJHp0rpn3CZjmyqD2unDIfg5tEQCIQC5VNMY5qTG83VuWL2eEbEWhFF3WNWDuaM3PqbvtUXR4w==\n"
}
},
"canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWQiOiJaWGR2WjBsRFNtWmtTR3gzV2xOSk5rbERTbTlrU0ZKM1kzcHZka3d5YkhWTVdGSjJaRWM0ZFdGWE9IWlZNMUpvWkVkV2RGcFhOVEJNTTFsNFNXbDNTMGxEUVdsak0xWnBZVzFXYW1SRFNUWkpSbk5MU1VOQlowbEljMHRKUTBGblNVTkJaMGx0TldoaVYxVnBUMmxCYVZwRE5UQmxTRkZwVEVGdlowbERRV2RKUTBGcFdrZHNibHBZVGpCSmFtOW5aWGR2WjBsRFFXZEpRMEZuU1VOS2VtRkhSWGxPVkZscFQybEJhVTE2VFhkWlZFRXdUWHBKZVUxSFdtaE5WRTVzVFVSR2EwNXFhR2hPTWxKcFRYcHNhazlFYkd4TlZFcHBUVWROTUZsNlRtbE9iVVYzVFhwUk1scHRWVEpOYWxKcFRVUnJkMDB5V1hoTmVrRjZXV3BXYVUxcFNVdEpRMEZuU1VOQloyWlJiMmRKUTBGblpsRnZaMGxHTUhORGFVRm5TVzVDZVZwWFVuQlpNa1l3V2xaU05XTkhWV2xQYVVGcFlVaFNNR05JVFRaTWVUbDZZa2hPYUV4dFVteGthVGwzWTIwNU1scFhOV2hpYlU1c1RETlplRWxwZDB0SlEwRnBZMGhLYkZwSGJHcFpXRkpzU1dwdloyVjNiMmRKUTBGblNXMUtNV0ZYZUd0U1IxWnRZVmMxY0dSSGJIWmlhVWsyU1VoelMwbERRV2RKUTBGblNXMUtNV0ZYZUd0V1NHeDNXbE5KTmtsRFNtOWtTRkozWTNwdmRrd3pUbk5qTWtWMFdtNUthR0pYVmpOaU0wcHlURzFrY0dSSGFERlphVFZ3WW5rNWJtRllVbTlrVjBsMFdWZE9NR0ZYT1hWamVURnBaRmRzYzFwSVVqVmpSMVo2VEROa2RtTnRkRzFpUnprelRETlplRWxwZDB0SlEwRm5TVU5CWjBsdFZqUmtSMVo1WW0xR2MxVkhSbmxaVnpGc1pFZFdlV041U1RaSlNITkxTVU5CWjBsRFFXZEpRMEZwWkRJNWVXRXlXbk5pTTJOcFQybENOME5wUVdkSlEwRm5TVU5CWjBsRFFXbGpiVlp0U1dwdlowbHVTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbWxKYzBOcFFXZEpRMEZuU1VOQlowbERRV2xqYlZaM1lqTk9jR1JIT1hsbFUwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRGa3lPWFZhYlRsNVlsZEdkVmt5VldsTVFXOW5TVU5CWjBsRFFXZEpRMEZuU1c1Q2FHUkhaMmxQYVVGcFRHMWtjR1JIYURGWmFUa3pZak5LY2xwdGVIWmtNMDEyV1RJNWRWcHRPWGxpVjBaMVdUSlZkV1ZYTVhOSloyOW5TVU5CWjBsRFFXZEpTREJMU1VOQlowbERRV2RtVTNkTFNVTkJaMGxEUVdkSmJXeDFaRWRXZVdKdFJuTlZSMFo1V1ZjeGJHUkhWbmxqZVVrMlNVaHpTMGxEUVdkSlEwRm5TVU5CYVZveWJEQmhTRlpwU1dwdloyVjNiMmRKUTBGblNVTkJaMGxEUVdkSmJWWXlXbGMxTUZneU5XaGlWMVZwVDJsQmFXTklWbnBoUTBselEybEJaMGxEUVdkSlEwRm5TVU5CYVdOdFZuZGlNMDV3WkVjNWVXVldPWEJhUTBrMlNVTkpNVTVFUlRSUFZFMTRUMFJaYVV4QmIyZEpRMEZuU1VOQlowbERRV2RKYmtwc1kwYzVlbUZZVW5aamJteG1Zak5rZFZwWVNtWmhWMUZwVDJsQmFVNTZSWGRQVkZsNlRsUk5hVU5wUVdkSlEwRm5TVU5CWjJaUmIyZEpRMEZuU1VOQ09VeEJiMmRKUTBGblNVTkJhV050Vm5waU1uZ3lXbGRTUlZwWVFteGliVkpzWW0xT2NGcFlUV2xQYVVKaVEybEJaMGxEUVdkSlEwRm5aWGR2WjBsRFFXZEpRMEZuU1VOQlowbHVWbmxoVTBrMlNVTktibUZZVVhKaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WMDUyWW0xYWRtTnRNV2hpYlU1c1VVaEtiRnB1VFhaaFIxWm9Xa2hOZG1KWFJuQmlhVWx6UTJsQlowbERRV2RKUTBGblNVTkJhVnBIYkc1YVdFNHdTV3B2WjJWM2IyZEpRMEZuU1VOQlowbERRV2RKUTBGcFdqSnNNRkV5T1hSaVYyd3dTV3B2WjBsdFRURmFhbFp0V1dwSk1VNVVSVEpOTWxaclQwUldhMXBIU1hwTmJWRXhUa2RTYWxwSFVUTk5WRUpvV1hwT2JVMUVVVEpOUkUxcFEybEJaMGxEUVdkSlEwRm5TVU5DT1VOcFFXZEpRMEZuU1VOQloyWlJiMmRKUTBGblNVTkNaRU5wUVdkSlEwSTVURUZ2WjBsRFFXZEpia294WW10U2JHUkhSbkJpU0UxcFQybENOME5wUVdkSlEwRm5TVU5LYVdSWGJITmFSMVo1U1dwdloyVjNiMmRKUTBGblNVTkJaMGxEU25CYVEwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbGxYVGpCaFZ6bDFZM2s1ZVdSWE5YVmFXRWwyV2pKc01HRklWbWxNVjJoMll6TlNiRnBEU1V0SlEwRm5TVU5CWjJaVGQwdEpRMEZuU1VOQlowbHRNV3hrUjBacldWaFNhRWxxYjJkbGQyOW5TVU5CWjBsRFFXZEpRMHB3WW01YWRsa3lSakJoVnpsMVUxZFJhVTlwUVdsaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WMDUyWW0xYWRtTnRNV2hpYlU1c1RESkdhbVJIYkhaaWJrMTJZMjVXZFdONU9ETk5WR042VG1wSmQwOVVSWGRNTWtZd1pFZFdkR05JVW5wTWVrVnBRMmxCWjBsRFFXZEpTREJMU1VOQlowbElNRXRKUTBJNVEyNHdTdz09IiwicGF5bG9hZFR5cGUiOiJhcHBsaWNhdGlvbi92bmQuaW4tdG90bytqc29uIiwic2lnbmF0dXJlcyI6W3sicHVibGljS2V5IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUk9SRU5EUVhSeFowRjNTVUpCWjBsRlJWSm5aMEpFUVV0Q1oyZHhhR3RxVDFCUlVVUkJla0Z5VFZKRmQwUjNXVVJXVVZGRVJYZG9lbUZYWkhwa1J6bDVXbFJGVjAxQ1VVZEJNVlZGUTJoTlRtTXliRzVqTTFKMlkyMVZkV0pYT1dwaGVrRmxSbmN3ZVUxNlFYbE5SRVYzVFVSQmQwMUVRbUZHZHpCNVRYcEJlVTFFUlhkTlJFVjNUVVJDWVUxQlFYZFhWRUZVUW1kamNXaHJhazlRVVVsQ1FtZG5jV2hyYWs5UVVVMUNRbmRPUTBGQlVqTnljMWhzUzB0SFQySjJLMW93T0hOQmFuTXdkSGw0YkhwVFZFdHJZVVpTYVhrM2RtcGFZVVpOVWxGUFdqYzJVVXQzUjBabFpreHJaVWQzZFdGbVUwdDVUR0o2YUdwSloyaFBjbFY2YWxNclYwWkJUVWh2TkVsRFJsUkRRMEZvUlhkRVoxbEVWbEl3VUVGUlNDOUNRVkZFUVdkbFFVMUNUVWRCTVZWa1NsRlJUVTFCYjBkRFEzTkhRVkZWUmtKM1RVUk5TVWRzUW1kT1ZraFNSVUpCWmpoRloxcHZkMmRhWlVkbldsSnZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMll6SnNibU16VW5aamJWVjBXVEk1ZFZwdE9YbGlWMFoxV1RKVmRscFlhREJqYlZaMFdsZDROVXhYVW1oaWJXUnNZMjA1TVdONU1YZGtWMHB6WVZkTmRHSXliR3RaZVRGcFdsZEdhbUl5TkhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFphV0dnd1kyMVdkRnBYZURWTVYxSm9ZbTFrYkdOdE9URmplVEYyWVZkU2FreFhTbXhaVjA1MlltazFOV0pYZUVGamJWWnRZM2s1YjFwWFJtdGplVGwwV1Zkc2RVMUNNRWRCTVZWa1JHZFJWMEpDVkc1M1NHVkNiVkJqT1VseVdtMUNaVzFQWVVoNU5HeDNkamRMUkVGbVFtZE9Wa2hUVFVWSFJFRlhaMEpSTDBaR2VHczNSbFY0ZEM5dlJUaHNSRnBGUmpCek4ydGhjM1ZFUVRkQ1oyOXlRbWRGUlVGWlR5OU5RVVZKUWtNd1RVc3lhREJrU0VKNlQyazRkbVJIT1hKYVZ6UjFXVmRPTUdGWE9YVmplVFZ1WVZoU2IyUlhTakZqTWxaNVdUSTVkV1JIVm5Wa1F6VnFZakl3ZDA5UldVdExkMWxDUWtGSFJIWjZRVUpCVVZGeVlVaFNNR05JVFRaTWVUa3dZakowYkdKcE5XaFpNMUp3WWpJMWVreHRaSEJrUjJneFdXNVdlbHBZU21waU1qVXdXbGMxTUV4dFRuWmlWRU5DYVZGWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpkQ1NHdEJaSGRDTVVGUVkyMTVjVTVDUmpkeFVscFZVM1pPZWxSd1NVMHhUVk5UTnpOWVQxbHBhamwzUlRkMk9IWlFlV1prUVVGQlFtaG5jRVkzUVVGQlFVRlJSRUZGV1hkU1FVbG5UMUpHTlRCb1dWSkpSbXd5U0dkak1IWlBTbVp3VFdwVk9HZFpOMEowUjJaNk1HOWFaVkJzZUVjMFowTkpSR3cyVTFoUlpURXJPVFpGVGxkeFRUWXJOWGQ0WWtsVlowaE1PRlF6SzI1dk5ETmplWFZGUVdVclRrMUJiMGREUTNGSFUwMDBPVUpCVFVSQk1HZEJUVVZWUTBsRGNVd3JjVXh3VW1KVVVGaHVObEpwTDFaSlpEQmxha3RDVGtVdlFqRndiVGt4ZFU5NVpTOURUMjFXUVdsRlFXNXJVbXN4Ymk5bVVIazRZMGR6Tml0cEszRTNZazFOYkN0WU1rTnROVEZ2WkVseVRVazVVR0pxVFhjOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlZRMGxGTVVaV2VUSjZOMHBwUkZSQmJFOURhbWRYYW5CNU1GQnpZeTg0ZDB0b1RIbFZXVVJWT0N0UWIzSk9RV2xGUVc5alVUUndjemhuUWtkRU5HUXhhWGgzTTB4R1ZqZ3phRmRPZFdKRVZYWlJkbHBDUmtsb1F6VXpjWGM5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImM4ZWY4N2EzZmI4MTFkYTQ1YTQxODg2NTU5NmFiOTE2MDMyNDU4Y2QxMzU5MmM3ZmYxYTUzZThmZDE1N2M1ODAifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIwZWJiZGJjMjFkMTgyMDA3Yjc4YjU3NzBkZWEyNDlmMTEwOTQ2YjdkZWQ4NTdhNGVjMDBjY2I2OTJjMWUyNWFmIn19fX0="
}
],
"timestampVerificationData": {
"rfc3161Timestamps": [
{
"signedTimestamp": "MIICGzADAgEAMIICEgYJKoZIhvcNAQcCoIICAzCCAf8CAQMxDzANBglghkgBZQMEAgEFADB0BgsqhkiG9w0BCRABBKBlBGMwYQIBAQYJKwYBBAGDvzACMC8wCwYJYIZIAWUDBAIBBCCbcvRBlDfRbVwaBhmUQoOTcKS7XrFs5y6Tp/MDZ5tQNgIE3q2+7xgPMjAyMzAyMDEwMDAwMDBaMAMCAQECBEmWAtKgADGCAW8wggFrAgEBMCswJjEMMAoGA1UEAxMDdHNhMRYwFAYDVQQKEw1zaWdzdG9yZS5tb2NrAgECMA0GCWCGSAFlAwQCAQUAoIHVMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjMwMjAxMDAwMDAwWjAvBgkqhkiG9w0BCQQxIgQgVzciL1SNrNN9mJ6Z3G1t4A7IPAjoVkXeFa91xuqRsAkwaAYLKoZIhvcNAQkQAi8xWTBXMFUwUwQgAA4hfcjNjQJC6U7kl1KxL3VHVkxZbFxM+eqk9sPXbJAwLzAqpCgwJjEMMAoGA1UEAxMDdHNhMRYwFAYDVQQKEw1zaWdzdG9yZS5tb2NrAgECMAoGCCqGSM49BAMCBEYwRAIgAqzpGF8YZrdyBJOGy2S/9qi7buQD6o51TvOGMKxAiagCIB8rI1sL9fFiY4LON6efkTvVxaFfHO5dJ1jKH+wO4jg+"
}
]
}
},
"dsseEnvelope": {
"payload": "ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAiZC50eHQiLAogICAgICAiZGlnZXN0IjogewogICAgICAgICJzaGEyNTYiOiAiMzMwYTA0MzIyMGZhMTNlMDFkNjhhN2RiMzljODllMTJiMGM0YzNiNmEwMzQ2ZmU2MjRiMDkwM2YxMzAzYjViMiIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwKICAicHJlZGljYXRlIjogewogICAgImJ1aWxkRGVmaW5pdGlvbiI6IHsKICAgICAgImJ1aWxkVHlwZSI6ICJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwKICAgICAgImV4dGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAid29ya2Zsb3ciOiB7CiAgICAgICAgICAicmVmIjogInJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAicmVwb3NpdG9yeSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtY29uZm9ybWFuY2UiLAogICAgICAgICAgInBhdGgiOiAiLmdpdGh1Yi93b3JrZmxvd3MvY29uZm9ybWFuY2UueW1sIgogICAgICAgIH0KICAgICAgfSwKICAgICAgImludGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAiZ2l0aHViIjogewogICAgICAgICAgImV2ZW50X25hbWUiOiAicHVzaCIsCiAgICAgICAgICAicmVwb3NpdG9yeV9pZCI6ICI1NDE4OTMxODYiLAogICAgICAgICAgInJlcG9zaXRvcnlfb3duZXJfaWQiOiAiNzEwOTYzNTMiCiAgICAgICAgfQogICAgICB9LAogICAgICAicmVzb2x2ZWREZXBlbmRlbmNpZXMiOiBbCiAgICAgICAgewogICAgICAgICAgInVyaSI6ICJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWNvbmZvcm1hbmNlQHJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAiZGlnZXN0IjogewogICAgICAgICAgICAiZ2l0Q29tbWl0IjogImM1ZjVmYjI1NTE2M2VkODVkZGIzMmQ1NGRjZGQ3MTBhYzNmMDQ2MDMiCiAgICAgICAgICB9CiAgICAgICAgfQogICAgICBdCiAgICB9LAogICAgInJ1bkRldGFpbHMiOiB7CiAgICAgICJidWlsZGVyIjogewogICAgICAgICJpZCI6ICJodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9ydW5uZXIvZ2l0aHViLWhvc3RlZCIKICAgICAgfSwKICAgICAgIm1ldGFkYXRhIjogewogICAgICAgICJpbnZvY2F0aW9uSWQiOiAiaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWNvbmZvcm1hbmNlL2FjdGlvbnMvcnVucy83MTczNjIwOTEwL2F0dGVtcHRzLzEiCiAgICAgIH0KICAgIH0KICB9Cn0K",
"payloadType": "application/vnd.in-toto+json",
"signatures": [
{
"sig": "MEUCIE1FVy2z7JiDTAlOCjgWjpy0Psc/8wKhLyUYDU8+PorNAiEAocQ4ps8gBGD4d1ixw3LFV83hWNubDUvQvZBFIhC53qw=",
"keyid": ""
}
]
}
}
where the embedded attestation in the dsse envelope is
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"name": "d.txt",
"digest": {
"sha256": "330a043220fa13e01d68a7db39c89e12b0c4c3b6a0346fe624b0903f1303b5b2"
}
}
],
"predicateType": "https://slsa.dev/provenance/v1",
"predicate": {
"buildDefinition": {
"buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
"externalParameters": {
"workflow": {
"ref": "refs/heads/main",
"repository": "https://github.com/sigstore/sigstore-conformance",
"path": ".github/workflows/conformance.yml"
}
},
"internalParameters": {
"github": {
"event_name": "push",
"repository_id": "541893186",
"repository_owner_id": "71096353"
}
},
"resolvedDependencies": [
{
"uri": "git+https://github.com/sigstore/sigstore-conformance@refs/heads/main",
"digest": {
"gitCommit": "c5f5fb255163ed85ddb32d54dcdd710ac3f04603"
}
}
]
},
"runDetails": {
"builder": {
"id": "https://github.com/actions/runner/github-hosted"
},
"metadata": {
"invocationId": "https://github.com/sigstore/sigstore-conformance/actions/runs/7173620910/attempts/1"
}
}
}
}