Build Attestation
kas supports the generation of SLSA / in-toto build attestation data. Currently, support for the following attestation formats is implemented:
Provenance
The provenance data provides information about the build. This includes
data about the build environment, as well as all primary (first-level)
dependencies. The attestation will be stored in
attestation/kas-build.provenance.json
The following modes are supported: mode=min
, mode=max
, whereby
the mode controls the amount of information that is included in the
attestation. The CLI options hereby loosely follow the docker buildx
provenance options, which are described in detail in
Provenance attestations.
For compatibility with the docker buildx
CLI options, we also support
--provenance true
, which is equivalent to --provenance mode=min
.
In min mode, the provenance attestation will contain information about:
Build timestamps
Build materials (project-config files)
Source repositories and revisions
Build platform
In max mode, it will also contain the build environment, i.e. all
environment variables of the env
section along with their values.
Warning
In max mode, the provenance attestation captures all environment
variables specified in the env
section. Make sure to not expose
any secrets.
For example, to build the configuration described in the file
kas-project.yml
and emit provenance attestations, you could run:
kas build --provenance mode=max kas-project.yml
Working with sigstore cosign
The cosign tool from the sigstore project (documentation) has native support for in-toto build predicates. However, it currently can only operate directly on the predicate but not on the enclosing attestation (cosign 2.2.4). By that, the predicate first needs to be extracted (provenance in this example):
cat build/attestation/kas-build.provenance.json | jq '.predicate' > provenance.json
Attestation Signing
Warning
The following command operates on the public append-only transparency log. Make sure to understand the implications before executing.
The following example shows how to create a signed build attestation from a provenance predicate and a local artifact, using the OIDC keyless signing workflow:
cosign attest-blob \
--type=slsaprovenance1 \
--predicate=provenance.json \
--output-signature=kas-build.dsse.json \
--output-certificate=cert.pem \
<image>.wic
Note
Currently the attestation can only be created for a single artifact file.
For later verification, both the signed attestation (kas-build.dsse.json
),
as well as the certificate (cert.pem
) are needed. Make sure to
ship them along with the artifact.
Attestation Verification
The previously signed blob can be verified again:
cosign verify-blob-attestation \
--certificate=cert.pem \
--signature=kas-build.dsse.json \
--certificate-identity="<redacted>" \
--certificate-oidc-issuer="<oidc issuer>" \
--type=slsaprovenance1 \
<image>.wic
Attestation Restoration
The dsse record (kas-build.dsse.json
) contains the original
attestation data as base64 encoded string. To restore the attestation,
run:
cat kas-build.dsse.json | jq -r '.payload' | base64 -d | jq