| type | category | description | title | weight |
|---|---|---|---|---|
docs |
About sigstore |
Information about the Sigstore bundle format |
Sigstore Bundle Format |
4 |
Last updated January 14, 2025
Version 0.3.2
This document describes the data structure for storing Sigstore signatures generated by tooling
working in the context of the Sigstore Public Instance. It includes json examples of
serialized bundles of the current bundle format version. It may exclude descriptions of parameters
that continue to exist for compatibility reasons or for private use cases. For a full description of
the format, the formal schema and information about language library support see
sigstore/protobuf-specs.
A Sigstore bundle is everything required to verify a signature on an artifact. This is satisfied by the Verification Material and signature Content.
This is key material used to verify signatures along with supporting metadata like transparency log entries and timestamps. When using short lived Fulcio certificates where verification may occur after the certificate has expired, bundles must include at least one transparency log's signed entry timestamp or an RFC3161 timestamp to provide proof that signing occured during the ceritificates validity window.
A single X.509 leaf certificate conveying the signing key and containing extensions
for identities consumed at verification time. This is the recommended "verificationMaterial" type
for use with the public Sigstore infrastructure.
"verificationMaterial": {
"certificate": {
"rawBytes": "<Base64(DER bytes)>"
}
}A hint to identify an out of band delivered key to verify a signature. Like traditional PKI key distribution the format of the hint must be agreed upon out of band by the signer and the verifiers. The key itself is not embedded in the Sigstore bundle.
"verificationMaterial": {
"publicKeyIdentifier": {
"hint": "<HINT>"
}
}Transparency Log entries can provide proof that a signing event was written to a public log. They are not required by the spec but inclusion of one or more transparency log entries is highly encouraged for bundles subject to public consumption. The embedded signed entry timestamp may be used to validate signing occurred during ceritificate validity.
"verificationMaterial": {
"tlogEntries": [
{
"logIndex": "<GLOBAL_LOG_INDEX>",
"logId": {
"keyId": "<KEY_ID>",
},
"kindVersion": {
"kind": "(hashrekord | dsse)",
"version": "<VERSION>"
},
"integratedTime": "<UNIX_TIMESTAMP>",
"inclusionPromise": {
"signedEntryTimestamp": "<Base64(SET bytes)>"
},
"inclusionProof": {
"logIndex": "<TREE_INDEX>",
"rootHash": "<Base64(HASH)>",
"treeSize": "<TREE_SIZE>",
"hashes": [
"<Base64(HASH)>",
"<Base64(HASH)>",
"<Base64(HASH)>"
],
"checkpoint": {
"envelope": "<TLOG CHECKPOINT SIGNED NOTE>"
}
},
"canonicalizedBody": "<Base64(JSON)>"
},
]
}Zero or more RFC3161 timestamps to validate signing occurred during ceritificate validity.
"verificationMaterial": {
"timestampVerificationData": {
"rfc3161Timestamps": [
{
"signedTimestamp": "<Base64(RFC3161 TIMESTAMP)>"
},
]
}
}This is the signature data for which the Verification Material is defined over. It must be one of Message Signature over an artifact hash or a DSSE envelope for attestations.
This is a computed signature over a message (typically an arifact hash). It may contain a
message_digest for informational purposes, but it must be provided or computed from a provided
artifact at verification time.
"messageSignature": {
"messageDigest": {
"algorithm": "<HASH ALGORITHM>",
"digest": "<Base64(DIGEST)>"
},
"signature": "<Base64(SIGNATURE)>"
}The DSSE envelope in a Sigstore Bundle must conform to the in-toto Envelope layer specification where payloadType is "application/vnd.in-toto+json" and the payload is an in-toto statement. DSSE envelopes in a Sigstore Bundle must also contain only a single signature (the DSSE spec allows multiple).
"dsseEnvelope": {
{
"payload": "<Base64(JSON_IN_TOTO_STATEMENT)>",
"payloadType": "application/vnd.in-toto+json",
"signatures": [{
"keyid": "<KEY_ID>",
"sig": "<Base64(SIGNATURE)>"
}]
}
}Here are some example bundles from the Sigstore public infrastructure.
Bundle with Message Signature over an artifact (sigstore-java-1.0.0.jar). This example includes a single transparency log entry with a signed entry timestamp for signing time verification.
{
"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"verificationMaterial": {
"tlogEntries": [{
"logIndex": "125680200",
"logId": {
"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
},
"kindVersion": {
"kind": "hashedrekord",
"version": "0.0.1"
},
"integratedTime": "1724870676",
"inclusionPromise": {
"signedEntryTimestamp": "MEYCIQCAKWrmj0LZ77rfiMXEat9gCCJxX4pgQfZqNc+tvF7gaAIhAJFtyypsWCbLDJ+NAMzPoY1AkQ1inhhQ3pZC5PaBCI8C"
},
"inclusionProof": {
"logIndex": "3775938",
"rootHash": "nEpjeg/gaT1EOcKQAr3q/XGdnuKzLsf4UhgZrwtTU+8=",
"treeSize": "3775939",
"hashes": ["vNwG4wbIsTeCSn9JageqhtCb6VvgYEKSw3Xro8zMF3s=", "3Cue+tnRytahmzjIHIig4/fKMN9WAQmi/8g4Fdk6+8k=", "2EvX4swCFD/LILwJKa300/8gGp/NrdPRJmS5xD5vTKE=", "7hEYrEVIERVjsDqdu600HLZ8gNcv7a45T2PI6RSmuzQ=", "Uh7WsOJYvurV8PIbjfhlLyW+CP+/HENUKB4tooMfNZo=", "Qs+LtoqLx2sFhSJUuUlbJs13xTJzH7lVPpEKpXBZyvI=", "kM4w7ZLh5iktz4xR9ECXn9elEJIaqockScafEFL7ieY=", "LomN2mlfw+qbbFGvCNfr3vCBrZ4EU/lqnL4TO0yc9Zw=", "22569ZiSqZcajfTf9Ct4LFEWDtLlHeaTpoPCFqeZtWQ=", "QxmVWsbTp4cClxuAkuT51UH2EY7peHMVGKq7+b+cGwQ=", "Q2LAtNzOUh+3PfwfMyNxYb06fTQmF3VeTT6Fr6Upvfc=", "ftwAu6v62WFDoDmcZ1JKfrRPrvuiIw5v3BvRsgQj7N8="],
"checkpoint": {
"envelope": "rekor.sigstore.dev - 1193050959916656506\n3775939\nnEpjeg/gaT1EOcKQAr3q/XGdnuKzLsf4UhgZrwtTU+8\u003d\n\n— rekor.sigstore.dev wNI9ajBEAiA/TrOctVDd1vjn/IrzCU8Fm7mhUlJ2FN739iGpqMomHgIgRwwqXaijp0RRTgyRxYUsCZ6LFvewTTEyaPmO4vHKqgk\u003d\n"
}
},
"canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1YmUyNmYxNzc3YTM1MWEyZjc3MGU5MWRiY2VhZTBhYWEzZjZlMjZlOGFkMjE4YzZhYzE2Y2FhNzgzYTVhYTBkIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQWxWTTlHR0VGV2dXYjJzdCtHRVlVVUphTXhGZXYxYlc2TVRzV2RnYks1YkFpRUFvWFhKTlFBQ1JGNG82OEx0V0dvVFdKZWVzekRrRXZlUWthOFQ2KzhYeTRBPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVaGFSRU5EUW5WeFowRjNTVUpCWjBsVlFVOTVWMWswTUdOdVJXbHNWMnhPYm1GVlJtaEdZMmR0YURoemQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDlFU1RSTlZHY3dUa1JOTUZkb1kwNU5hbEYzVDBSSk5FMVVaekZPUkUwd1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZRYkdwbFpuWmpibXd4YVhaQmF6RlJRalZFZG5Nd1VYVm1iRWRxUmxObFYxUlFMMDhLZEcxaE4yNXlRMVJZUjFGMFVXZEVTVzVLVTFKeFRWTTNWRE4yWjJ0MlpYTXlVMUUyWkVGR2JXeDBURWxYWjBsS2R6WlBRMEpuYTNkbloxbEdUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZRZDNGa0NtTlhaMjlHYjJadWJsTmtWekJ3U0hkclJtaHZhMUJOZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJabldVUldVakJTUVZGSUwwSklVWGRqYjFwM1lVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROT2NGb3pUakJpTTBwc1RETk9jQXBhTTA0d1lqTktiRXhYY0doa2JVVjJURzFrY0dSSGFERlphVGt6WWpOS2NscHRlSFprTTAxMlkyMVdjMXBYUm5wYVV6RjZZVmRrZW1SSE9YbGFVekZ4Q2xsWVdtaE1WMXA1WWpJd2RHUkhSbTVNYm14b1lsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYaE1ha0YxVFVSQk5VSm5iM0pDWjBWRlFWbFBMMDFCUlVJS1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG14amJVNTJZbTVTYkdKdVVYVlpNamwwVFVJNFJ3cERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkbU50ZEcxaVJ6a3pXREpTY0dNelFtaGtSMDV2VFVSWlIwTnBjMGRCVVZGQ1p6YzRkMEZSVFVWTFIxRjVDazVxUVhwTmVsRXdXVlJyZWs1VVpHcFphbU42VFZSUmVWa3lTVEpPVjA1b1dtcFdiVTE2Ykd0YVIwa3dUV3BuZWs5VVZYZFVaMWxMUzNkWlFrSkJSMFFLZG5wQlFrSkJVa0ZWYlZaeldsZEdlbHBUUW5waFYyUjZaRWM1ZVZwVE1YRlpXRnBvU1VkR2RWcERRbnBoVjJSNlpFYzVlVnBUTVhSWldGcHNZbWt4ZHdwaVNGWnVZVmMwWjJSSE9HZFVWMFl5V2xjMFoxRXlWblZrU0Vwb1lrUkJhMEpuYjNKQ1owVkZRVmxQTDAxQlJVWkNRbHA2WVZka2VtUkhPWGxhVXpsNkNtRlhaSHBrUnpsNVdsTXhjVmxZV21oTlFqUkhRMmx6UjBGUlVVSm5OemgzUVZGWlJVVklTbXhhYmsxMlpFZEdibU41T1RKTlV6UjNUR3BCZDA5M1dVc0tTM2RaUWtKQlIwUjJla0ZDUTBGUmRFUkRkRzlrU0ZKM1kzcHZka3d6VW5aaE1sWjFURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kZ3BpYmxKc1ltNVJkVmt5T1hSTlNVZEJRbWR2Y2tKblJVVkJXVTh2VFVGRlNrSklTVTFqUjJnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw2Q21GWFpIcGtSemw1V2xNNWVtRlhaSHBrUnpsNVdsTXhjVmxZV21oTWVUVnVZVmhTYjJSWFNYWmtNamw1WVRKYWMySXpaSHBNTTBwc1lrZFdhR015VlhRS1l6SnNibU16VW5aamJWVjBZVzFHTWxsVE1XMWpiVGwwVEZoU2FGcDVOVFZaVnpGelVVaEtiRnB1VFhaa1IwWnVZM2s1TWsxVE5IZE1ha0YzVDBGWlN3cExkMWxDUWtGSFJIWjZRVUpEWjFGeFJFTm9hMDFxV1hkTmVrMHdUa2RGTlUxNlZUTlpNa2t6VFhwRk1FMXRUbWxPYWxacVdWZFpNVnBxVFRWYVIxSnBDazVFU1RSTmVtc3hUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJjMFZFZDNkT1dqSnNNR0ZJVm1sTVYyaDJZek5TYkZwRVFUVkNaMjl5UW1kRlJVRlpUeThLVFVGRlRVSkRjMDFMVjJnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw2WVZka2VtUkhPWGxhVXpsNllWZGtlbVJIT1hsYVV6RnhXVmhhYUFwTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZFd1JVdG5kMjlhUkVreVRVUk5lazVFVW1oUFZFMHhUakpPYVU1NlRYaE9SRXBxV1dwWk1Wa3lSbTFPVjFsNkNrOVhVbXRaYWxGNVQwUk5OVTVVUVdkQ1oyOXlRbWRGUlVGWlR5OU5RVVZQUWtKSlRVVklTbXhhYmsxMlpFZEdibU41T1RKTlV6UjNUR3BCZDBkUldVc0tTM2RaUWtKQlIwUjJla0ZDUkhkUlRFUkJhekJPYWtGNFQwUlJNMDFFWjNkTGQxbExTM2RaUWtKQlIwUjJla0ZDUlVGUlpFUkNkRzlrU0ZKM1kzcHZkZ3BNTW1Sd1pFZG9NVmxwTldwaU1qQjJZekpzYm1NelVuWmpiVlYzUjBGWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVV0RVFXY3pUVlJCTlU1cVRURk5la05DQ21kQldVdExkMWxDUWtGSFJIWjZRVUpGWjFKNVJFaENiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkbU15Ykc0S1l6TlNkbU50VlhSaGJVWXlXVk00ZFZveWJEQmhTRlpwVEROa2RtTnRkRzFpUnprelkzazVlVnBYZUd4WldFNXNURmhPY0ZvelRqQmlNMHBzVEZkd2FBcGtiVVYwV201S2RtSlRNVEJaVjJOMVpWZEdkR0pGUW5sYVYxcDZURE5TYUZvelRYWmtha1YxVFVNMGQwMUVaMGREYVhOSFFWRlJRbWMzT0hkQlVrMUZDa3RuZDI5YVJFa3lUVVJOZWs1RVVtaFBWRTB4VGpKT2FVNTZUWGhPUkVwcVdXcFpNVmt5Um0xT1YxbDZUMWRTYTFscVVYbFBSRTAxVGxSQmFFSm5iM0lLUW1kRlJVRlpUeTlOUVVWVlFrSk5UVVZZWkhaamJYUnRZa2M1TTFneVVuQmpNMEpvWkVkT2IwMUdNRWREYVhOSFFWRlJRbWMzT0hkQlVsVkZWSGQ0VGdwaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WM0JvWkcxRmRsbFhUakJoVnpsMUNtTjVPWGxrVnpWNlRIcEZkMDVxUVhsT1JGRXlUMVJGTUV3eVJqQmtSMVowWTBoU2VreDZSWGRHWjFsTFMzZFpRa0pCUjBSMmVrRkNSbWRSU1VSQlduY0taRmRLYzJGWFRYZG5XVzlIUTJselIwRlJVVUl4Ym10RFFrRkpSV1pCVWpaQlNHZEJaR2RFWkZCVVFuRjRjMk5TVFcxTldraG9lVnBhZW1ORGIydHdaUXAxVGpRNGNtWXJTR2x1UzBGTWVXNTFhbWRCUVVGYVIyRlVZMjA0UVVGQlJVRjNRa2hOUlZWRFNVaFhiVkpGYVhZNVRrbHlUbnBDTkhoMFVVSkRaa1pUQ25waVNUY3paREV4VlVvMVVUQnRORlJHVlZvMFFXbEZRVGMwTW1WQ2RsaG1hVXhrVFN0dksyOUlZbVJ6UjJsTEwzcHBjMXAyZUV4c2IzQmhTRXQ1U0NzS1ZrRlpkME5uV1VsTGIxcEplbW93UlVGM1RVUmhRVUYzV2xGSmVFRkxjRzVXYUc5dFluUmlSV1YyVFVsU1MyVmlXWEphVm1NMFlsUmlZVmxyYUVOMVNBcDVMMmRVWW00cmFXeHVSWEphY1hsNlVGQkNkWEYzZEc1c1NHZDBiMUZKZDBVMmJGTnBSbE52VmtsblIwNWpXVVIxUWxWRmNIbFZhR2xGV0VodE5UVkhDbEp2YnpneVRYSmpNMlIzV0dkR1FqRk1LM1l2Y1ZwSFpFOWtVazFtY2k5aENpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"
}],
"certificate": {
"rawBytes": "MIIHZDCCBuqgAwIBAgIUAOyWY40cnEilWlNnaUFhFcgmh8swCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwODI4MTg0NDM0WhcNMjQwODI4MTg1NDM0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPljefvcnl1ivAk1QB5Dvs0QuflGjFSeWTP/Otma7nrCTXGQtQgDInJSRqMS7T3vgkves2SQ6dAFmltLIWgIJw6OCBgkwggYFMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUPwqdcWgoFofnnSdW0pHwkFhokPMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wfgYDVR0RAQH/BHQwcoZwaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWphdmEvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS1zaWdzdG9yZS1qYXZhLWZyb20tdGFnLnlhbWxAcmVmcy90YWdzL3YxLjAuMDA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKGQyNjAzMzQ0YTkzNTdjYjczMTQyY2I2NWNhZjVmMzlkZGI0MjgzOTUwTgYKKwYBBAGDvzABBARAUmVsZWFzZSBzaWdzdG9yZS1qYXZhIGFuZCBzaWdzdG9yZS1tYXZlbi1wbHVnaW4gdG8gTWF2ZW4gQ2VudHJhbDAkBgorBgEEAYO/MAEFBBZzaWdzdG9yZS9zaWdzdG9yZS1qYXZhMB4GCisGAQQBg78wAQYEEHJlZnMvdGFncy92MS4wLjAwOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIGABgorBgEEAYO/MAEJBHIMcGh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qYXZhLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2Utc2lnc3RvcmUtamF2YS1mcm9tLXRhZy55YW1sQHJlZnMvdGFncy92MS4wLjAwOAYKKwYBBAGDvzABCgQqDChkMjYwMzM0NGE5MzU3Y2I3MzE0MmNiNjVjYWY1ZjM5ZGRiNDI4Mzk1MB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDA5BgorBgEEAYO/MAEMBCsMKWh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qYXZhMDgGCisGAQQBg78wAQ0EKgwoZDI2MDMzNDRhOTM1N2NiNzMxNDJjYjY1Y2FmNWYzOWRkYjQyODM5NTAgBgorBgEEAYO/MAEOBBIMEHJlZnMvdGFncy92MS4wLjAwGQYKKwYBBAGDvzABDwQLDAk0NjAxODQ3MDgwKwYKKwYBBAGDvzABEAQdDBtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUwGAYKKwYBBAGDvzABEQQKDAg3MTA5NjM1MzCBgAYKKwYBBAGDvzABEgRyDHBodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtamF2YS8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLXNpZ3N0b3JlLWphdmEtZnJvbS10YWcueWFtbEByZWZzL3RhZ3MvdjEuMC4wMDgGCisGAQQBg78wARMEKgwoZDI2MDMzNDRhOTM1N2NiNzMxNDJjYjY1Y2FmNWYzOWRkYjQyODM5NTAhBgorBgEEAYO/MAEUBBMMEXdvcmtmbG93X2Rpc3BhdGNoMF0GCisGAQQBg78wARUETwxNaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWphdmEvYWN0aW9ucy9ydW5zLzEwNjAyNDQ2OTE0L2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAZGaTcm8AAAEAwBHMEUCIHWmREiv9NIrNzB4xtQBCfFSzbI73d11UJ5Q0m4TFUZ4AiEA742eBvXfiLdM+o+oHbdsGiK/zisZvxLlopaHKyH+VAYwCgYIKoZIzj0EAwMDaAAwZQIxAKpnVhombtbEevMIRKebYrZVc4bTbaYkhCuHy/gTbn+ilnErZqyzPPBuqwtnlHgtoQIwE6lSiFSoVIgGNcYDuBUEpyUhiEXHm55GRoo82Mrc3dwXgFB1L+v/qZGdOdRMfr/a"
}
},
"messageSignature": {
"messageDigest": {
"algorithm": "SHA2_256",
"digest": "W+JvF3ejUaL3cOkdvOrgqqP24m6K0hjGrBbKp4Olqg0="
},
"signature": "MEUCIAlVM9GGEFWgWb2st+GEYUUJaMxFev1bW6MTsWdgbK5bAiEAoXXJNQACRF4o68LtWGoTWJeeszDkEveQka8T6+8Xy4A="
}
}Bundle with DSSE Envelope over a provenance attestation. This example includes a transparency log entry and an rfc3161 timestamp.
{
"mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.2",
"verificationMaterial": {
"x509CertificateChain": {
"certificates": [
{
"rawBytes": "MIIDNDCCAtqgAwIBAgIEERggBDAKBggqhkjOPQQDAzArMREwDwYDVQQDEwhzaWdzdG9yZTEWMBQGA1UEChMNc2lnc3RvcmUubW9jazAeFw0yMzAyMDEwMDAwMDBaFw0yMzAyMDEwMDEwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3rsXlKKGObv+Z08sAjs0tyxlzSTKkaFRiy7vjZaFMRQOZ76QKwGFefLkeGwuafSKyLbzhjIghOrUzjS+WFAMHo4ICFTCCAhEwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIGlBgNVHREBAf8EgZowgZeGgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMB0GA1UdDgQWBBTnwHeBmPc9IrZmBemOaHy4lwv7KDAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTCBiQYKKwYBBAHWeQIEAgR7BHkAdwB1APcmyqNBF7qRZUSvNzTpIM1MSS73XOYij9wE7v8vPyfdAAABhgpF7AAAAAQDAEYwRAIgORF50hYRIFl2Hgc0vOJfpMjU8gY7BtGfz0oZePlxG4gCIDl6SXQe1+96ENWqM6+5wxbIUgHL8T3+no43cyuEAe+NMAoGCCqGSM49BAMDA0gAMEUCICqL+qLpRbTPXn6Ri/VId0ejKBNE/B1pm91uOye/COmVAiEAnkRk1n/fPy8cGs6+i+q7bMMl+X2Cm51odIrMI9PbjMw="
}
]
},
"tlogEntries": [
{
"logIndex": "4288993",
"logId": {
"keyId": "9ybKo0EXupFlRK83NOkgzUxJLvdc5iKP3ATu/y8/J90="
},
"kindVersion": {
"kind": "intoto",
"version": "0.0.2"
},
"integratedTime": "1675209600",
"inclusionPromise": {
"signedEntryTimestamp": "MEQCIGkdiEwwfehfHGLM0qerjqUifnolYl8guuPHdBGUl2kSAiBeo/KfkIKVsCXAbn9hnsUhXSewAsAzfDGdIHsuloSpLw=="
},
"inclusionProof": {
"logIndex": "0",
"rootHash": "pc42iecujVMfPva3JcoWyQU9W6llYb+A2LsgE2O5pg0=",
"treeSize": "1",
"hashes": [],
"checkpoint": {
"envelope": "localhost:8000 - 124190645164477\n1\npc42iecujVMfPva3JcoWyQU9W6llYb+A2LsgE2O5pg0=\nTimestamp: 1675209600000000000\n\n— localhost:8000 9ybKozBGAiEAkhPYcKegqWJbVTaEYJHp0rpn3CZjmyqD2unDIfg5tEQCIQC5VNMY5qTG83VuWL2eEbEWhFF3WNWDuaM3PqbvtUXR4w==\n"
}
},
"canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWQiOiJaWGR2WjBsRFNtWmtTR3gzV2xOSk5rbERTbTlrU0ZKM1kzcHZka3d5YkhWTVdGSjJaRWM0ZFdGWE9IWlZNMUpvWkVkV2RGcFhOVEJNTTFsNFNXbDNTMGxEUVdsak0xWnBZVzFXYW1SRFNUWkpSbk5MU1VOQlowbEljMHRKUTBGblNVTkJaMGx0TldoaVYxVnBUMmxCYVZwRE5UQmxTRkZwVEVGdlowbERRV2RKUTBGcFdrZHNibHBZVGpCSmFtOW5aWGR2WjBsRFFXZEpRMEZuU1VOS2VtRkhSWGxPVkZscFQybEJhVTE2VFhkWlZFRXdUWHBKZVUxSFdtaE5WRTVzVFVSR2EwNXFhR2hPTWxKcFRYcHNhazlFYkd4TlZFcHBUVWROTUZsNlRtbE9iVVYzVFhwUk1scHRWVEpOYWxKcFRVUnJkMDB5V1hoTmVrRjZXV3BXYVUxcFNVdEpRMEZuU1VOQloyWlJiMmRKUTBGblpsRnZaMGxHTUhORGFVRm5TVzVDZVZwWFVuQlpNa1l3V2xaU05XTkhWV2xQYVVGcFlVaFNNR05JVFRaTWVUbDZZa2hPYUV4dFVteGthVGwzWTIwNU1scFhOV2hpYlU1c1RETlplRWxwZDB0SlEwRnBZMGhLYkZwSGJHcFpXRkpzU1dwdloyVjNiMmRKUTBGblNXMUtNV0ZYZUd0U1IxWnRZVmMxY0dSSGJIWmlhVWsyU1VoelMwbERRV2RKUTBGblNXMUtNV0ZYZUd0V1NHeDNXbE5KTmtsRFNtOWtTRkozWTNwdmRrd3pUbk5qTWtWMFdtNUthR0pYVmpOaU0wcHlURzFrY0dSSGFERlphVFZ3WW5rNWJtRllVbTlrVjBsMFdWZE9NR0ZYT1hWamVURnBaRmRzYzFwSVVqVmpSMVo2VEROa2RtTnRkRzFpUnprelRETlplRWxwZDB0SlEwRm5TVU5CWjBsdFZqUmtSMVo1WW0xR2MxVkhSbmxaVnpGc1pFZFdlV041U1RaSlNITkxTVU5CWjBsRFFXZEpRMEZwWkRJNWVXRXlXbk5pTTJOcFQybENOME5wUVdkSlEwRm5TVU5CWjBsRFFXbGpiVlp0U1dwdlowbHVTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbWxKYzBOcFFXZEpRMEZuU1VOQlowbERRV2xqYlZaM1lqTk9jR1JIT1hsbFUwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbU15Ykc1ak0xSjJZMjFWZG1NeWJHNWpNMUoyWTIxVmRGa3lPWFZhYlRsNVlsZEdkVmt5VldsTVFXOW5TVU5CWjBsRFFXZEpRMEZuU1c1Q2FHUkhaMmxQYVVGcFRHMWtjR1JIYURGWmFUa3pZak5LY2xwdGVIWmtNMDEyV1RJNWRWcHRPWGxpVjBaMVdUSlZkV1ZYTVhOSloyOW5TVU5CWjBsRFFXZEpTREJMU1VOQlowbERRV2RtVTNkTFNVTkJaMGxEUVdkSmJXeDFaRWRXZVdKdFJuTlZSMFo1V1ZjeGJHUkhWbmxqZVVrMlNVaHpTMGxEUVdkSlEwRm5TVU5CYVZveWJEQmhTRlpwU1dwdloyVjNiMmRKUTBGblNVTkJaMGxEUVdkSmJWWXlXbGMxTUZneU5XaGlWMVZwVDJsQmFXTklWbnBoUTBselEybEJaMGxEUVdkSlEwRm5TVU5CYVdOdFZuZGlNMDV3WkVjNWVXVldPWEJhUTBrMlNVTkpNVTVFUlRSUFZFMTRUMFJaYVV4QmIyZEpRMEZuU1VOQlowbERRV2RKYmtwc1kwYzVlbUZZVW5aamJteG1Zak5rZFZwWVNtWmhWMUZwVDJsQmFVNTZSWGRQVkZsNlRsUk5hVU5wUVdkSlEwRm5TVU5CWjJaUmIyZEpRMEZuU1VOQ09VeEJiMmRKUTBGblNVTkJhV050Vm5waU1uZ3lXbGRTUlZwWVFteGliVkpzWW0xT2NGcFlUV2xQYVVKaVEybEJaMGxEUVdkSlEwRm5aWGR2WjBsRFFXZEpRMEZuU1VOQlowbHVWbmxoVTBrMlNVTktibUZZVVhKaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WMDUyWW0xYWRtTnRNV2hpYlU1c1VVaEtiRnB1VFhaaFIxWm9Xa2hOZG1KWFJuQmlhVWx6UTJsQlowbERRV2RKUTBGblNVTkJhVnBIYkc1YVdFNHdTV3B2WjJWM2IyZEpRMEZuU1VOQlowbERRV2RKUTBGcFdqSnNNRkV5T1hSaVYyd3dTV3B2WjBsdFRURmFhbFp0V1dwSk1VNVVSVEpOTWxaclQwUldhMXBIU1hwTmJWRXhUa2RTYWxwSFVUTk5WRUpvV1hwT2JVMUVVVEpOUkUxcFEybEJaMGxEUVdkSlEwRm5TVU5DT1VOcFFXZEpRMEZuU1VOQloyWlJiMmRKUTBGblNVTkNaRU5wUVdkSlEwSTVURUZ2WjBsRFFXZEpia294WW10U2JHUkhSbkJpU0UxcFQybENOME5wUVdkSlEwRm5TVU5LYVdSWGJITmFSMVo1U1dwdloyVjNiMmRKUTBGblNVTkJaMGxEU25CYVEwazJTVU5LYjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbGxYVGpCaFZ6bDFZM2s1ZVdSWE5YVmFXRWwyV2pKc01HRklWbWxNVjJoMll6TlNiRnBEU1V0SlEwRm5TVU5CWjJaVGQwdEpRMEZuU1VOQlowbHRNV3hrUjBacldWaFNhRWxxYjJkbGQyOW5TVU5CWjBsRFFXZEpRMHB3WW01YWRsa3lSakJoVnpsMVUxZFJhVTlwUVdsaFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTTA1d1dqTk9NR0l6U214TU0wNXdXak5PTUdJelNteE1WMDUyWW0xYWRtTnRNV2hpYlU1c1RESkdhbVJIYkhaaWJrMTJZMjVXZFdONU9ETk5WR042VG1wSmQwOVVSWGRNTWtZd1pFZFdkR05JVW5wTWVrVnBRMmxCWjBsRFFXZEpTREJMU1VOQlowbElNRXRKUTBJNVEyNHdTdz09IiwicGF5bG9hZFR5cGUiOiJhcHBsaWNhdGlvbi92bmQuaW4tdG90bytqc29uIiwic2lnbmF0dXJlcyI6W3sicHVibGljS2V5IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUk9SRU5EUVhSeFowRjNTVUpCWjBsRlJWSm5aMEpFUVV0Q1oyZHhhR3RxVDFCUlVVUkJla0Z5VFZKRmQwUjNXVVJXVVZGRVJYZG9lbUZYWkhwa1J6bDVXbFJGVjAxQ1VVZEJNVlZGUTJoTlRtTXliRzVqTTFKMlkyMVZkV0pYT1dwaGVrRmxSbmN3ZVUxNlFYbE5SRVYzVFVSQmQwMUVRbUZHZHpCNVRYcEJlVTFFUlhkTlJFVjNUVVJDWVUxQlFYZFhWRUZVUW1kamNXaHJhazlRVVVsQ1FtZG5jV2hyYWs5UVVVMUNRbmRPUTBGQlVqTnljMWhzUzB0SFQySjJLMW93T0hOQmFuTXdkSGw0YkhwVFZFdHJZVVpTYVhrM2RtcGFZVVpOVWxGUFdqYzJVVXQzUjBabFpreHJaVWQzZFdGbVUwdDVUR0o2YUdwSloyaFBjbFY2YWxNclYwWkJUVWh2TkVsRFJsUkRRMEZvUlhkRVoxbEVWbEl3VUVGUlNDOUNRVkZFUVdkbFFVMUNUVWRCTVZWa1NsRlJUVTFCYjBkRFEzTkhRVkZWUmtKM1RVUk5TVWRzUW1kT1ZraFNSVUpCWmpoRloxcHZkMmRhWlVkbldsSnZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMll6SnNibU16VW5aamJWVjBXVEk1ZFZwdE9YbGlWMFoxV1RKVmRscFlhREJqYlZaMFdsZDROVXhYVW1oaWJXUnNZMjA1TVdONU1YZGtWMHB6WVZkTmRHSXliR3RaZVRGcFdsZEdhbUl5TkhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFphV0dnd1kyMVdkRnBYZURWTVYxSm9ZbTFrYkdOdE9URmplVEYyWVZkU2FreFhTbXhaVjA1MlltazFOV0pYZUVGamJWWnRZM2s1YjFwWFJtdGplVGwwV1Zkc2RVMUNNRWRCTVZWa1JHZFJWMEpDVkc1M1NHVkNiVkJqT1VseVdtMUNaVzFQWVVoNU5HeDNkamRMUkVGbVFtZE9Wa2hUVFVWSFJFRlhaMEpSTDBaR2VHczNSbFY0ZEM5dlJUaHNSRnBGUmpCek4ydGhjM1ZFUVRkQ1oyOXlRbWRGUlVGWlR5OU5RVVZKUWtNd1RVc3lhREJrU0VKNlQyazRkbVJIT1hKYVZ6UjFXVmRPTUdGWE9YVmplVFZ1WVZoU2IyUlhTakZqTWxaNVdUSTVkV1JIVm5Wa1F6VnFZakl3ZDA5UldVdExkMWxDUWtGSFJIWjZRVUpCVVZGeVlVaFNNR05JVFRaTWVUa3dZakowYkdKcE5XaFpNMUp3WWpJMWVreHRaSEJrUjJneFdXNVdlbHBZU21waU1qVXdXbGMxTUV4dFRuWmlWRU5DYVZGWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpkQ1NHdEJaSGRDTVVGUVkyMTVjVTVDUmpkeFVscFZVM1pPZWxSd1NVMHhUVk5UTnpOWVQxbHBhamwzUlRkMk9IWlFlV1prUVVGQlFtaG5jRVkzUVVGQlFVRlJSRUZGV1hkU1FVbG5UMUpHTlRCb1dWSkpSbXd5U0dkak1IWlBTbVp3VFdwVk9HZFpOMEowUjJaNk1HOWFaVkJzZUVjMFowTkpSR3cyVTFoUlpURXJPVFpGVGxkeFRUWXJOWGQ0WWtsVlowaE1PRlF6SzI1dk5ETmplWFZGUVdVclRrMUJiMGREUTNGSFUwMDBPVUpCVFVSQk1HZEJUVVZWUTBsRGNVd3JjVXh3VW1KVVVGaHVObEpwTDFaSlpEQmxha3RDVGtVdlFqRndiVGt4ZFU5NVpTOURUMjFXUVdsRlFXNXJVbXN4Ymk5bVVIazRZMGR6Tml0cEszRTNZazFOYkN0WU1rTnROVEZ2WkVseVRVazVVR0pxVFhjOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlZRMGxGTVVaV2VUSjZOMHBwUkZSQmJFOURhbWRYYW5CNU1GQnpZeTg0ZDB0b1RIbFZXVVJWT0N0UWIzSk9RV2xGUVc5alVUUndjemhuUWtkRU5HUXhhWGgzTTB4R1ZqZ3phRmRPZFdKRVZYWlJkbHBDUmtsb1F6VXpjWGM5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImM4ZWY4N2EzZmI4MTFkYTQ1YTQxODg2NTU5NmFiOTE2MDMyNDU4Y2QxMzU5MmM3ZmYxYTUzZThmZDE1N2M1ODAifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIwZWJiZGJjMjFkMTgyMDA3Yjc4YjU3NzBkZWEyNDlmMTEwOTQ2YjdkZWQ4NTdhNGVjMDBjY2I2OTJjMWUyNWFmIn19fX0="
}
],
"timestampVerificationData": {
"rfc3161Timestamps": [
{
"signedTimestamp": "MIICGzADAgEAMIICEgYJKoZIhvcNAQcCoIICAzCCAf8CAQMxDzANBglghkgBZQMEAgEFADB0BgsqhkiG9w0BCRABBKBlBGMwYQIBAQYJKwYBBAGDvzACMC8wCwYJYIZIAWUDBAIBBCCbcvRBlDfRbVwaBhmUQoOTcKS7XrFs5y6Tp/MDZ5tQNgIE3q2+7xgPMjAyMzAyMDEwMDAwMDBaMAMCAQECBEmWAtKgADGCAW8wggFrAgEBMCswJjEMMAoGA1UEAxMDdHNhMRYwFAYDVQQKEw1zaWdzdG9yZS5tb2NrAgECMA0GCWCGSAFlAwQCAQUAoIHVMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjMwMjAxMDAwMDAwWjAvBgkqhkiG9w0BCQQxIgQgVzciL1SNrNN9mJ6Z3G1t4A7IPAjoVkXeFa91xuqRsAkwaAYLKoZIhvcNAQkQAi8xWTBXMFUwUwQgAA4hfcjNjQJC6U7kl1KxL3VHVkxZbFxM+eqk9sPXbJAwLzAqpCgwJjEMMAoGA1UEAxMDdHNhMRYwFAYDVQQKEw1zaWdzdG9yZS5tb2NrAgECMAoGCCqGSM49BAMCBEYwRAIgAqzpGF8YZrdyBJOGy2S/9qi7buQD6o51TvOGMKxAiagCIB8rI1sL9fFiY4LON6efkTvVxaFfHO5dJ1jKH+wO4jg+"
}
]
}
},
"dsseEnvelope": {
"payload": "ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAiZC50eHQiLAogICAgICAiZGlnZXN0IjogewogICAgICAgICJzaGEyNTYiOiAiMzMwYTA0MzIyMGZhMTNlMDFkNjhhN2RiMzljODllMTJiMGM0YzNiNmEwMzQ2ZmU2MjRiMDkwM2YxMzAzYjViMiIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwKICAicHJlZGljYXRlIjogewogICAgImJ1aWxkRGVmaW5pdGlvbiI6IHsKICAgICAgImJ1aWxkVHlwZSI6ICJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwKICAgICAgImV4dGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAid29ya2Zsb3ciOiB7CiAgICAgICAgICAicmVmIjogInJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAicmVwb3NpdG9yeSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtY29uZm9ybWFuY2UiLAogICAgICAgICAgInBhdGgiOiAiLmdpdGh1Yi93b3JrZmxvd3MvY29uZm9ybWFuY2UueW1sIgogICAgICAgIH0KICAgICAgfSwKICAgICAgImludGVybmFsUGFyYW1ldGVycyI6IHsKICAgICAgICAiZ2l0aHViIjogewogICAgICAgICAgImV2ZW50X25hbWUiOiAicHVzaCIsCiAgICAgICAgICAicmVwb3NpdG9yeV9pZCI6ICI1NDE4OTMxODYiLAogICAgICAgICAgInJlcG9zaXRvcnlfb3duZXJfaWQiOiAiNzEwOTYzNTMiCiAgICAgICAgfQogICAgICB9LAogICAgICAicmVzb2x2ZWREZXBlbmRlbmNpZXMiOiBbCiAgICAgICAgewogICAgICAgICAgInVyaSI6ICJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWNvbmZvcm1hbmNlQHJlZnMvaGVhZHMvbWFpbiIsCiAgICAgICAgICAiZGlnZXN0IjogewogICAgICAgICAgICAiZ2l0Q29tbWl0IjogImM1ZjVmYjI1NTE2M2VkODVkZGIzMmQ1NGRjZGQ3MTBhYzNmMDQ2MDMiCiAgICAgICAgICB9CiAgICAgICAgfQogICAgICBdCiAgICB9LAogICAgInJ1bkRldGFpbHMiOiB7CiAgICAgICJidWlsZGVyIjogewogICAgICAgICJpZCI6ICJodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9ydW5uZXIvZ2l0aHViLWhvc3RlZCIKICAgICAgfSwKICAgICAgIm1ldGFkYXRhIjogewogICAgICAgICJpbnZvY2F0aW9uSWQiOiAiaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWNvbmZvcm1hbmNlL2FjdGlvbnMvcnVucy83MTczNjIwOTEwL2F0dGVtcHRzLzEiCiAgICAgIH0KICAgIH0KICB9Cn0K",
"payloadType": "application/vnd.in-toto+json",
"signatures": [
{
"sig": "MEUCIE1FVy2z7JiDTAlOCjgWjpy0Psc/8wKhLyUYDU8+PorNAiEAocQ4ps8gBGD4d1ixw3LFV83hWNubDUvQvZBFIhC53qw=",
"keyid": ""
}
]
}
}where the embedded attestation in the dsse envelope is
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"name": "d.txt",
"digest": {
"sha256": "330a043220fa13e01d68a7db39c89e12b0c4c3b6a0346fe624b0903f1303b5b2"
}
}
],
"predicateType": "https://slsa.dev/provenance/v1",
"predicate": {
"buildDefinition": {
"buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
"externalParameters": {
"workflow": {
"ref": "refs/heads/main",
"repository": "https://github.com/sigstore/sigstore-conformance",
"path": ".github/workflows/conformance.yml"
}
},
"internalParameters": {
"github": {
"event_name": "push",
"repository_id": "541893186",
"repository_owner_id": "71096353"
}
},
"resolvedDependencies": [
{
"uri": "git+https://github.com/sigstore/sigstore-conformance@refs/heads/main",
"digest": {
"gitCommit": "c5f5fb255163ed85ddb32d54dcdd710ac3f04603"
}
}
]
},
"runDetails": {
"builder": {
"id": "https://github.com/actions/runner/github-hosted"
},
"metadata": {
"invocationId": "https://github.com/sigstore/sigstore-conformance/actions/runs/7173620910/attempts/1"
}
}
}
}