zregvart · April 13, 2022 12:31
diff --git a/01 demo.sh b/01 demo.sh
 IMAGE=default-route-openshift-image-registry.apps-crc.testing/tekton-chains/kaniko-chains
 COSIGN_EXPERIMENTAL=1 cosign attest \
  --predicate <(jq '{"results": .}' image-fail.json) \
  --type https://redhat.com/test/v1 \
  --rekor-url https://rekor-server.apps-crc.testing \
  --key k8s://tekton-chains/signing-secrets \
  $IMAGE
diff --git a/02 image-fail.json b/02 image-fail.json
 [
  {
    "filename": "image-fail.json",
    "namespace": "main",
    "successes": 19,
    "warnings": [
      {
        "msg": "The 'maintainer' label should be defined",
        "metadata": {
          "details": {
            "description": "The name and email of the maintainer (usually the submitter). Should contain `@redhat.com` or `Red Hat`.",
            "name": "maintainer_label_required",
            "url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
          }
        }
      }
    ],
    "failures": [
      {
        "msg": "The Architecture label is deprecated",
        "metadata": {
          "details": {
            "description": "The 'Architecture' label is deprecated, replace with 'architecture'",
            "name": "architecture_label_deprecated",
            "url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
          }
        }
      },
      {
        "msg": "The Release label is deprecated",
        "metadata": {
          "details": {
            "description": "The 'Release' label is deprecated, replace with 'release'",
            "name": "release_label_deprecated",
            "url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
          }
        }
      },
      {
        "msg": "The 'architecture' label is required",
        "metadata": {
          "details": {
            "description": "Architecture the software in the image should target.",
            "name": "architecture_label_required",
            "url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
          }
        }
      },
      {
        "msg": "The 'release' label is required",
        "metadata": {
          "details": {
            "description": "Release Number for this version.",
            "name": "release_label_required",
            "url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
          }
        }
      }
    ]
  }
 ]
diff --git a/03 attestation-layer-in-image.json b/03 attestation-layer-in-image.json
 {
  "payloadType": "application/vnd.in-toto+json",
  "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3JlZGhhdC5jb20vdGVzdC92MSIsInN1YmplY3QiOlt7Im5hbWUiOiJkZWZhdWx0LXJvdXRlLW9wZW5zaGlmdC1pbWFnZS1yZWdpc3RyeS5hcHBzLWNyYy50ZXN0aW5nL3Rla3Rvbi1jaGFpbnMva2FuaWtvLWNoYWlucyIsImRpZ2VzdCI6eyJzaGEyNTYiOiI3ZDQ5MTVmMmE5N2RkNDEwNzAzN2Y3Njk4ODlkZDYxNDhmN2NkMTc0ODNiNTFjZTFkMzhiM2E0MWY4OWY4YzFhIn19XSwicHJlZGljYXRlIjp7InJlc3VsdHMiOlt7ImZhaWx1cmVzIjpbeyJtZXRhZGF0YSI6eyJkZXRhaWxzIjp7ImRlc2NyaXB0aW9uIjoiVGhlICdBcmNoaXRlY3R1cmUnIGxhYmVsIGlzIGRlcHJlY2F0ZWQsIHJlcGxhY2Ugd2l0aCAnYXJjaGl0ZWN0dXJlJyIsIm5hbWUiOiJhcmNoaXRlY3R1cmVfbGFiZWxfZGVwcmVjYXRlZCIsInVybCI6Imh0dHBzOi8vc291cmNlLnJlZGhhdC5jb20vZ3JvdXBzL3B1YmxpYy9jb250YWluZXItYnVpbGQtc3lzdGVtL2NvbnRhaW5lcl9idWlsZF9zeXN0ZW1fd2lraS9ndWlkZV90b19sYXllcmVkX2ltYWdlX2J1aWxkX3NlcnZpY2Vfb3NicyNqaXZlX2NvbnRlbnRfaWRfTGFiZWxzIn19LCJtc2ciOiJUaGUgQXJjaGl0ZWN0dXJlIGxhYmVsIGlzIGRlcHJlY2F0ZWQifSx7Im1ldGFkYXRhIjp7ImRldGFpbHMiOnsiZGVzY3JpcHRpb24iOiJUaGUgJ1JlbGVhc2UnIGxhYmVsIGlzIGRlcHJlY2F0ZWQsIHJlcGxhY2Ugd2l0aCAncmVsZWFzZSciLCJuYW1lIjoicmVsZWFzZV9sYWJlbF9kZXByZWNhdGVkIiwidXJsIjoiaHR0cHM6Ly9zb3VyY2UucmVkaGF0LmNvbS9ncm91cHMvcHVibGljL2NvbnRhaW5lci1idWlsZC1zeXN0ZW0vY29udGFpbmVyX2J1aWxkX3N5c3RlbV93aWtpL2d1aWRlX3RvX2xheWVyZWRfaW1hZ2VfYnVpbGRfc2VydmljZV9vc2JzI2ppdmVfY29udGVudF9pZF9MYWJlbHMifX0sIm1zZyI6IlRoZSBSZWxlYXNlIGxhYmVsIGlzIGRlcHJlY2F0ZWQifSx7Im1ldGFkYXRhIjp7ImRldGFpbHMiOnsiZGVzY3JpcHRpb24iOiJBcmNoaXRlY3R1cmUgdGhlIHNvZnR3YXJlIGluIHRoZSBpbWFnZSBzaG91bGQgdGFyZ2V0LiIsIm5hbWUiOiJhcmNoaXRlY3R1cmVfbGFiZWxfcmVxdWlyZWQiLCJ1cmwiOiJodHRwczovL3NvdXJjZS5yZWRoYXQuY29tL2dyb3Vwcy9wdWJsaWMvY29udGFpbmVyLWJ1aWxkLXN5c3RlbS9jb250YWluZXJfYnVpbGRfc3lzdGVtX3dpa2kvZ3VpZGVfdG9fbGF5ZXJlZF9pbWFnZV9idWlsZF9zZXJ2aWNlX29zYnMjaml2ZV9jb250ZW50X2lkX0xhYmVscyJ9fSwibXNnIjoiVGhlICdhcmNoaXRlY3R1cmUnIGxhYmVsIGlzIHJlcXVpcmVkIn0seyJtZXRhZGF0YSI6eyJkZXRhaWxzIjp7ImRlc2NyaXB0aW9uIjoiUmVsZWFzZSBOdW1iZXIgZm9yIHRoaXMgdmVyc2lvbi4iLCJuYW1lIjoicmVsZWFzZV9sYWJlbF9yZXF1aXJlZCIsInVybCI6Imh0dHBzOi8vc291cmNlLnJlZGhhdC5jb20vZ3JvdXBzL3B1YmxpYy9jb250YWluZXItYnVpbGQtc3lzdGVtL2NvbnRhaW5lcl9idWlsZF9zeXN0ZW1fd2lraS9ndWlkZV90b19sYXllcmVkX2ltYWdlX2J1aWxkX3NlcnZpY2Vfb3NicyNqaXZlX2NvbnRlbnRfaWRfTGFiZWxzIn19LCJtc2ciOiJUaGUgJ3JlbGVhc2UnIGxhYmVsIGlzIHJlcXVpcmVkIn1dLCJmaWxlbmFtZSI6ImltYWdlLWZhaWwuanNvbiIsIm5hbWVzcGFjZSI6Im1haW4iLCJzdWNjZXNzZXMiOjE5LCJ3YXJuaW5ncyI6W3sibWV0YWRhdGEiOnsiZGV0YWlscyI6eyJkZXNjcmlwdGlvbiI6IlRoZSBuYW1lIGFuZCBlbWFpbCBvZiB0aGUgbWFpbnRhaW5lciAodXN1YWxseSB0aGUgc3VibWl0dGVyKS4gU2hvdWxkIGNvbnRhaW4gYEByZWRoYXQuY29tYCBvciBgUmVkIEhhdGAuIiwibmFtZSI6Im1haW50YWluZXJfbGFiZWxfcmVxdWlyZWQiLCJ1cmwiOiJodHRwczovL3NvdXJjZS5yZWRoYXQuY29tL2dyb3Vwcy9wdWJsaWMvY29udGFpbmVyLWJ1aWxkLXN5c3RlbS9jb250YWluZXJfYnVpbGRfc3lzdGVtX3dpa2kvZ3VpZGVfdG9fbGF5ZXJlZF9pbWFnZV9idWlsZF9zZXJ2aWNlX29zYnMjaml2ZV9jb250ZW50X2lkX0xhYmVscyJ9fSwibXNnIjoiVGhlICdtYWludGFpbmVyJyBsYWJlbCBzaG91bGQgYmUgZGVmaW5lZCJ9XX1dfX0=",
  "signatures": [
    {
      "keyid": "",
      "sig": "MEYCIQD0idxC3MJ1cFSAy03SOhmJVdQdRZ86Dh7VjQ5UHSB8DAIhAPvZXy6X/bCq5VhWEMkdc7WyOsC1ATSgm73BkBUgrz9d"
    }
  ]
 }
diff --git a/04 in-toto-statement-from-attestation.json b/04 in-toto-statement-from-attestation.json
 {
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://redhat.com/test/v1",
  "subject": [
    {
      "name": "default-route-openshift-image-registry.apps-crc.testing/tekton-chains/kaniko-chains",
      "digest": {
        "sha256": "7d4915f2a97dd4107037f769889dd6148f7cd17483b51ce1d38b3a41f89f8c1a"
      }
    }
  ],
  "predicate": {
    "results": [
      {
        "failures": [
          {
            "metadata": {
              "details": {
                "description": "The 'Architecture' label is deprecated, replace with 'architecture'",
                "name": "architecture_label_deprecated",
                "url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
              }
            },
            "msg": "The Architecture label is deprecated"
          },
          {
            "metadata": {
              "details": {
                "description": "The 'Release' label is deprecated, replace with 'release'",
                "name": "release_label_deprecated",
                "url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
              }
            },
            "msg": "The Release label is deprecated"
          },
          {
            "metadata": {
              "details": {
                "description": "Architecture the software in the image should target.",
                "name": "architecture_label_required",
                "url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
              }
            },
            "msg": "The 'architecture' label is required"
          },
          {
            "metadata": {
              "details": {
                "description": "Release Number for this version.",
                "name": "release_label_required",
                "url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
              }
            },
            "msg": "The 'release' label is required"
          }
        ],
        "filename": "image-fail.json",
        "namespace": "main",
        "successes": 19,
        "warnings": [
          {
            "metadata": {
              "details": {
                "description": "The name and email of the maintainer (usually the submitter). Should contain `@redhat.com` or `Red Hat`.",
                "name": "maintainer_label_required",
                "url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
              }
            },
            "msg": "The 'maintainer' label should be defined"
          }
        ]
      }
    ]
  }
 }
	IMAGE=default-route-openshift-image-registry.apps-crc.testing/tekton-chains/kaniko-chains
	COSIGN_EXPERIMENTAL=1 cosign attest \
	--predicate <(jq '{"results": .}' image-fail.json) \
	--type https://redhat.com/test/v1 \
	--rekor-url https://rekor-server.apps-crc.testing \
	--key k8s://tekton-chains/signing-secrets \
	$IMAGE
	[
	{
	"filename": "image-fail.json",
	"namespace": "main",
	"successes": 19,
	"warnings": [
	{
	"msg": "The 'maintainer' label should be defined",
	"metadata": {
	"details": {
	"description": "The name and email of the maintainer (usually the submitter). Should contain `@redhat.com` or `Red Hat`.",
	"name": "maintainer_label_required",
	"url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
	}
	}
	}
	],
	"failures": [
	{
	"msg": "The Architecture label is deprecated",
	"metadata": {
	"details": {
	"description": "The 'Architecture' label is deprecated, replace with 'architecture'",
	"name": "architecture_label_deprecated",
	"url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
	}
	}
	},
	{
	"msg": "The Release label is deprecated",
	"metadata": {
	"details": {
	"description": "The 'Release' label is deprecated, replace with 'release'",
	"name": "release_label_deprecated",
	"url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
	}
	}
	},
	{
	"msg": "The 'architecture' label is required",
	"metadata": {
	"details": {
	"description": "Architecture the software in the image should target.",
	"name": "architecture_label_required",
	"url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
	}
	}
	},
	{
	"msg": "The 'release' label is required",
	"metadata": {
	"details": {
	"description": "Release Number for this version.",
	"name": "release_label_required",
	"url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
	}
	}
	}
	]
	}
	]
	{
	"payloadType": "application/vnd.in-toto+json",
	"payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3JlZGhhdC5jb20vdGVzdC92MSIsInN1YmplY3QiOlt7Im5hbWUiOiJkZWZhdWx0LXJvdXRlLW9wZW5zaGlmdC1pbWFnZS1yZWdpc3RyeS5hcHBzLWNyYy50ZXN0aW5nL3Rla3Rvbi1jaGFpbnMva2FuaWtvLWNoYWlucyIsImRpZ2VzdCI6eyJzaGEyNTYiOiI3ZDQ5MTVmMmE5N2RkNDEwNzAzN2Y3Njk4ODlkZDYxNDhmN2NkMTc0ODNiNTFjZTFkMzhiM2E0MWY4OWY4YzFhIn19XSwicHJlZGljYXRlIjp7InJlc3VsdHMiOlt7ImZhaWx1cmVzIjpbeyJtZXRhZGF0YSI6eyJkZXRhaWxzIjp7ImRlc2NyaXB0aW9uIjoiVGhlICdBcmNoaXRlY3R1cmUnIGxhYmVsIGlzIGRlcHJlY2F0ZWQsIHJlcGxhY2Ugd2l0aCAnYXJjaGl0ZWN0dXJlJyIsIm5hbWUiOiJhcmNoaXRlY3R1cmVfbGFiZWxfZGVwcmVjYXRlZCIsInVybCI6Imh0dHBzOi8vc291cmNlLnJlZGhhdC5jb20vZ3JvdXBzL3B1YmxpYy9jb250YWluZXItYnVpbGQtc3lzdGVtL2NvbnRhaW5lcl9idWlsZF9zeXN0ZW1fd2lraS9ndWlkZV90b19sYXllcmVkX2ltYWdlX2J1aWxkX3NlcnZpY2Vfb3NicyNqaXZlX2NvbnRlbnRfaWRfTGFiZWxzIn19LCJtc2ciOiJUaGUgQXJjaGl0ZWN0dXJlIGxhYmVsIGlzIGRlcHJlY2F0ZWQifSx7Im1ldGFkYXRhIjp7ImRldGFpbHMiOnsiZGVzY3JpcHRpb24iOiJUaGUgJ1JlbGVhc2UnIGxhYmVsIGlzIGRlcHJlY2F0ZWQsIHJlcGxhY2Ugd2l0aCAncmVsZWFzZSciLCJuYW1lIjoicmVsZWFzZV9sYWJlbF9kZXByZWNhdGVkIiwidXJsIjoiaHR0cHM6Ly9zb3VyY2UucmVkaGF0LmNvbS9ncm91cHMvcHVibGljL2NvbnRhaW5lci1idWlsZC1zeXN0ZW0vY29udGFpbmVyX2J1aWxkX3N5c3RlbV93aWtpL2d1aWRlX3RvX2xheWVyZWRfaW1hZ2VfYnVpbGRfc2VydmljZV9vc2JzI2ppdmVfY29udGVudF9pZF9MYWJlbHMifX0sIm1zZyI6IlRoZSBSZWxlYXNlIGxhYmVsIGlzIGRlcHJlY2F0ZWQifSx7Im1ldGFkYXRhIjp7ImRldGFpbHMiOnsiZGVzY3JpcHRpb24iOiJBcmNoaXRlY3R1cmUgdGhlIHNvZnR3YXJlIGluIHRoZSBpbWFnZSBzaG91bGQgdGFyZ2V0LiIsIm5hbWUiOiJhcmNoaXRlY3R1cmVfbGFiZWxfcmVxdWlyZWQiLCJ1cmwiOiJodHRwczovL3NvdXJjZS5yZWRoYXQuY29tL2dyb3Vwcy9wdWJsaWMvY29udGFpbmVyLWJ1aWxkLXN5c3RlbS9jb250YWluZXJfYnVpbGRfc3lzdGVtX3dpa2kvZ3VpZGVfdG9fbGF5ZXJlZF9pbWFnZV9idWlsZF9zZXJ2aWNlX29zYnMjaml2ZV9jb250ZW50X2lkX0xhYmVscyJ9fSwibXNnIjoiVGhlICdhcmNoaXRlY3R1cmUnIGxhYmVsIGlzIHJlcXVpcmVkIn0seyJtZXRhZGF0YSI6eyJkZXRhaWxzIjp7ImRlc2NyaXB0aW9uIjoiUmVsZWFzZSBOdW1iZXIgZm9yIHRoaXMgdmVyc2lvbi4iLCJuYW1lIjoicmVsZWFzZV9sYWJlbF9yZXF1aXJlZCIsInVybCI6Imh0dHBzOi8vc291cmNlLnJlZGhhdC5jb20vZ3JvdXBzL3B1YmxpYy9jb250YWluZXItYnVpbGQtc3lzdGVtL2NvbnRhaW5lcl9idWlsZF9zeXN0ZW1fd2lraS9ndWlkZV90b19sYXllcmVkX2ltYWdlX2J1aWxkX3NlcnZpY2Vfb3NicyNqaXZlX2NvbnRlbnRfaWRfTGFiZWxzIn19LCJtc2ciOiJUaGUgJ3JlbGVhc2UnIGxhYmVsIGlzIHJlcXVpcmVkIn1dLCJmaWxlbmFtZSI6ImltYWdlLWZhaWwuanNvbiIsIm5hbWVzcGFjZSI6Im1haW4iLCJzdWNjZXNzZXMiOjE5LCJ3YXJuaW5ncyI6W3sibWV0YWRhdGEiOnsiZGV0YWlscyI6eyJkZXNjcmlwdGlvbiI6IlRoZSBuYW1lIGFuZCBlbWFpbCBvZiB0aGUgbWFpbnRhaW5lciAodXN1YWxseSB0aGUgc3VibWl0dGVyKS4gU2hvdWxkIGNvbnRhaW4gYEByZWRoYXQuY29tYCBvciBgUmVkIEhhdGAuIiwibmFtZSI6Im1haW50YWluZXJfbGFiZWxfcmVxdWlyZWQiLCJ1cmwiOiJodHRwczovL3NvdXJjZS5yZWRoYXQuY29tL2dyb3Vwcy9wdWJsaWMvY29udGFpbmVyLWJ1aWxkLXN5c3RlbS9jb250YWluZXJfYnVpbGRfc3lzdGVtX3dpa2kvZ3VpZGVfdG9fbGF5ZXJlZF9pbWFnZV9idWlsZF9zZXJ2aWNlX29zYnMjaml2ZV9jb250ZW50X2lkX0xhYmVscyJ9fSwibXNnIjoiVGhlICdtYWludGFpbmVyJyBsYWJlbCBzaG91bGQgYmUgZGVmaW5lZCJ9XX1dfX0=",
	"signatures": [
	{
	"keyid": "",
	"sig": "MEYCIQD0idxC3MJ1cFSAy03SOhmJVdQdRZ86Dh7VjQ5UHSB8DAIhAPvZXy6X/bCq5VhWEMkdc7WyOsC1ATSgm73BkBUgrz9d"
	}
	]
	}
	{
	"_type": "https://in-toto.io/Statement/v0.1",
	"predicateType": "https://redhat.com/test/v1",
	"subject": [
	{
	"name": "default-route-openshift-image-registry.apps-crc.testing/tekton-chains/kaniko-chains",
	"digest": {
	"sha256": "7d4915f2a97dd4107037f769889dd6148f7cd17483b51ce1d38b3a41f89f8c1a"
	}
	}
	],
	"predicate": {
	"results": [
	{
	"failures": [
	{
	"metadata": {
	"details": {
	"description": "The 'Architecture' label is deprecated, replace with 'architecture'",
	"name": "architecture_label_deprecated",
	"url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
	}
	},
	"msg": "The Architecture label is deprecated"
	},
	{
	"metadata": {
	"details": {
	"description": "The 'Release' label is deprecated, replace with 'release'",
	"name": "release_label_deprecated",
	"url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
	}
	},
	"msg": "The Release label is deprecated"
	},
	{
	"metadata": {
	"details": {
	"description": "Architecture the software in the image should target.",
	"name": "architecture_label_required",
	"url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
	}
	},
	"msg": "The 'architecture' label is required"
	},
	{
	"metadata": {
	"details": {
	"description": "Release Number for this version.",
	"name": "release_label_required",
	"url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
	}
	},
	"msg": "The 'release' label is required"
	}
	],
	"filename": "image-fail.json",
	"namespace": "main",
	"successes": 19,
	"warnings": [
	{
	"metadata": {
	"details": {
	"description": "The name and email of the maintainer (usually the submitter). Should contain `@redhat.com` or `Red Hat`.",
	"name": "maintainer_label_required",
	"url": "https://source.redhat.com/groups/public/container-build-system/container_build_system_wiki/guide_to_layered_image_build_service_osbs#jive_content_id_Labels"
	}
	},
	"msg": "The 'maintainer' label should be defined"
	}
	]
	}
	]
	}
	}