fix: Switch to newer DSSE rekor type

The intoto v001 type does not persist signatures of the DSSE envelope, as noted in sigstore/rekor#973. We introduced an intoto v002 type shortly after to fix this, but since then, we've introduced another newer type, DSSE v001, which also does not persist the attestation in Rekor (as we discourage using Rekor as storage). I also updated the verifier in slsa-framework/slsa-verifier#742 to search for both Rekor entry types. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
haydentherapper · Feb 29, 2024 · bdeea00 · bdeea00
1 parent a66d8c0
commit bdeea00
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/signing/sigstore/rekor.go b/signing/sigstore/rekor.go
@@ -80,7 +80,7 @@ func (r *Rekor) Upload(ctx context.Context, att signing.Attestation) (signing.Lo
 		return nil, fmt.Errorf("creating rekor client: %w", err)
 	}
 	// TODO: Is it a bug that we need []byte(string(k.Cert)) or else we hit invalid PEM?
-	logEntry, err := cosign.TLogUploadInTotoAttestation(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))
+	logEntry, err := cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))
 	if err != nil {
 		return nil, fmt.Errorf("uploading attestation: %w", err)
 	}