search

chainguard-images / actions

GitHub actions for the chainguard-images
Apache License 2.0
17 stars 22 forks source link

Add Trivy, Snyk and Grype Scans #20

Closed strongjz closed 2 years ago

strongjz commented 2 years ago
kaniini commented 2 years ago

Is this ready for review?

kaniini commented 2 years ago

Looks fine to me but I think @mattmoor's point about attestations staying in the standard namespace makes sense and we should go that route.

strongjz commented 2 years ago

Just ran through and for some reason the trivy attestation is not there 

 cosign verify-attestation ghcr.io/chainguard-dev/go-demo@sha256:a488038c73224ac5e36b4394ee23a5ca2845fa9b385861ecccdba4083093b925

Verification for ghcr.io/chainguard-dev/go-demo@sha256:a488038c73224ac5e36b4394ee23a5ca2845fa9b385861ecccdba4083093b925 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.
Certificate subject:  https://github.com/chainguard-dev/go-demo/.github/workflows/release.yaml@refs/heads/main
Certificate issuer URL:  https://token.actions.githubusercontent.com
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3Z1bG4vdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hjci5pby9jaGFpbmd1YXJkLWRldi9nby1kZW1vIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImE0ODgwMzhjNzMyMjRhYzVlMzZiNDM5NGVlMjNhNWNhMjg0NWZhOWIzODU4NjFlY2NjZGJhNDA4MzA5M2I5MjUifX1dLCJwcmVkaWNhdGUiOnsiaW52b2NhdGlvbiI6eyJwYXJhbWV0ZXJzIjpudWxsLCJ1cmkiOiJodHRwczovL2dpdGh1Yi5jb20vY2hhaW5ndWFyZC1kZXYvZ28tZGVtby9hY3Rpb25zL3J1bnMvMjY2NTk1MjA2OCIsImV2ZW50X2lkIjoiMjY2NTk1MjA2OCIsImJ1aWxkZXIuaWQiOiJSZWxlYXNlIExhdGVzdCBDaGFuZ2VzIn0sInNjYW5uZXIiOnsidXJpIjoiIiwidmVyc2lvbiI6IiIsImRiIjp7InVyaSI6IiIsInZlcnNpb24iOiIifSwicmVzdWx0Ijp7ImRlcGVuZGVuY3lDb3VudCI6MywiZG9ja2VyIjp7fSwiZmlsZXN5c3RlbVBvbGljeSI6ZmFsc2UsImlnbm9yZVNldHRpbmdzIjp7ImFkbWluT25seSI6ZmFsc2UsImRpc3JlZ2FyZEZpbGVzeXN0ZW1JZ25vcmVzIjpmYWxzZSwicmVhc29uUmVxdWlyZWQiOmZhbHNlfSwiaXNQcml2YXRlIjp0cnVlLCJsaWNlbnNlc1BvbGljeSI6eyJvcmdMaWNlbnNlUnVsZXMiOnsiQUdQTC0xLjAiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJBR1BMLTEuMCIsInNldmVyaXR5IjoiaGlnaCJ9LCJBR1BMLTMuMCI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6IkFHUEwtMy4wIiwic2V2ZXJpdHkiOiJoaWdoIn0sIkFydGlzdGljLTEuMCI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6IkFydGlzdGljLTEuMCIsInNldmVyaXR5IjoibWVkaXVtIn0sIkFydGlzdGljLTIuMCI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6IkFydGlzdGljLTIuMCIsInNldmVyaXR5IjoibWVkaXVtIn0sIkNEREwtMS4wIjp7Imluc3RydWN0aW9ucyI6IiIsImxpY2Vuc2VUeXBlIjoiQ0RETC0xLjAiLCJzZXZlcml0eSI6Im1lZGl1bSJ9LCJDUE9MLTEuMDIiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJDUE9MLTEuMDIiLCJzZXZlcml0eSI6ImhpZ2gifSwiRVBMLTEuMCI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6IkVQTC0xLjAiLCJzZXZlcml0eSI6Im1lZGl1bSJ9LCJHUEwtMi4wIjp7Imluc3RydWN0aW9ucyI6IiIsImxpY2Vuc2VUeXBlIjoiR1BMLTIuMCIsInNldmVyaXR5IjoiaGlnaCJ9LCJHUEwtMy4wIjp7Imluc3RydWN0aW9ucyI6IiIsImxpY2Vuc2VUeXBlIjoiR1BMLTMuMCIsInNldmVyaXR5IjoiaGlnaCJ9LCJMR1BMLTIuMCI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6IkxHUEwtMi4wIiwic2V2ZXJpdHkiOiJtZWRpdW0ifSwiTEdQTC0yLjEiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJMR1BMLTIuMSIsInNldmVyaXR5IjoibWVkaXVtIn0sIkxHUEwtMy4wIjp7Imluc3RydWN0aW9ucyI6IiIsImxpY2Vuc2VUeXBlIjoiTEdQTC0zLjAiLCJzZXZlcml0eSI6Im1lZGl1bSJ9LCJNUEwtMS4xIjp7Imluc3RydWN0aW9ucyI6IiIsImxpY2Vuc2VUeXBlIjoiTVBMLTEuMSIsInNldmVyaXR5IjoibWVkaXVtIn0sIk1QTC0yLjAiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJNUEwtMi4wIiwic2V2ZXJpdHkiOiJtZWRpdW0ifSwiTVMtUkwiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJNUy1STCIsInNldmVyaXR5IjoibWVkaXVtIn0sIlNpbVBMLTIuMCI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6IlNpbVBMLTIuMCIsInNldmVyaXR5IjoiaGlnaCJ9fSwic2V2ZXJpdGllcyI6e319LCJvayI6dHJ1ZSwib3JnIjoic3Ryb25nanotNm8wIiwicGFja2FnZU1hbmFnZXIiOiJkZWIiLCJwYXRoIjoiZ2hjci5pby9jaGFpbmd1YXJkLWRldi9nby1kZW1vQHNoYTI1NjphNDg4MDM4YzczMjI0YWM1ZTM2YjQzOTRlZTIzYTVjYTI4NDVmYTliMzg1ODYxZWNjY2RiYTQwODMwOTNiOTI1L2NoYWluZ3VhcmQtZGV2L2dvLWRlbW8iLCJwbGF0Zm9ybSI6ImxpbnV4L2FtZDY0IiwicG9saWN5IjoiIyBTbnlrIChodHRwczovL3NueWsuaW8pIHBvbGljeSBmaWxlLCBwYXRjaGVzIG9yIGlnbm9yZXMga25vd24gdnVsbmVyYWJpbGl0aWVzLlxudmVyc2lvbjogdjEuMjUuMFxuaWdub3JlOiB7fVxucGF0Y2g6IHt9XG4iLCJwcm9qZWN0TmFtZSI6ImRvY2tlci1pbWFnZXxnaGNyLmlvL2NoYWluZ3VhcmQtZGV2L2dvLWRlbW8iLCJzdW1tYXJ5IjoiTm8ga25vd24gdnVsbmVyYWJpbGl0aWVzIiwidW5pcXVlQ291bnQiOjAsInZ1bG5lcmFiaWxpdGllcyI6W119fSwibWV0YWRhdGEiOnsic2NhblN0YXJ0ZWRPbiI6IjIwMjItMDctMTNUMTk6NTU6NDlaIiwic2NhbkZpbmlzaGVkT24iOiIyMDIyLTA3LTEzVDE5OjU1OjU0WiJ9fX0=","signatures":[{"keyid":"","sig":"MEYCIQCxeYFkkl7cROMTTqTE8wn7k48YxbplWWR+vWgwfk70/gIhAMq7kTQzuCyi3dU6vs6DB/06vNffLbD27eNnppaPcHSW"}]}
Certificate subject:  https://github.com/chainguard-dev/go-demo/.github/workflows/release.yaml@refs/heads/main
Certificate issuer URL:  https://token.actions.githubusercontent.com
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3Z1bG4vdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hjci5pby9jaGFpbmd1YXJkLWRldi9nby1kZW1vIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImE0ODgwMzhjNzMyMjRhYzVlMzZiNDM5NGVlMjNhNWNhMjg0NWZhOWIzODU4NjFlY2NjZGJhNDA4MzA5M2I5MjUifX1dLCJwcmVkaWNhdGUiOnsiaW52b2NhdGlvbiI6eyJwYXJhbWV0ZXJzIjpudWxsLCJ1cmkiOiJodHRwczovL2dpdGh1Yi5jb20vY2hhaW5ndWFyZC1kZXYvZ28tZGVtby9hY3Rpb25zL3J1bnMvMjY2NTk1MjA2OCIsImV2ZW50X2lkIjoiMjY2NTk1MjA2OCIsImJ1aWxkZXIuaWQiOiJSZWxlYXNlIExhdGVzdCBDaGFuZ2VzIn0sInNjYW5uZXIiOnsidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2FuY2hvcmUvZ3J5cGUiLCJ2ZXJzaW9uIjoiMC4zOC4wIiwiZGIiOnsidXJpIjoiIiwidmVyc2lvbiI6IiJ9LCJyZXN1bHQiOnsiJHNjaGVtYSI6Imh0dHBzOi8vanNvbi5zY2hlbWFzdG9yZS5vcmcvc2FyaWYtMi4xLjAtcnRtLjUuanNvbiIsInJ1bnMiOlt7InJlc3VsdHMiOltdLCJ0b29sIjp7ImRyaXZlciI6eyJpbmZvcm1hdGlvblVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hbmNob3JlL2dyeXBlIiwibmFtZSI6IkdyeXBlIiwidmVyc2lvbiI6IjAuMzguMCJ9fX1dLCJ2ZXJzaW9uIjoiMi4xLjAifX0sIm1ldGFkYXRhIjp7InNjYW5TdGFydGVkT24iOiIyMDIyLTA3LTEzVDE5OjU1OjQ5WiIsInNjYW5GaW5pc2hlZE9uIjoiMjAyMi0wNy0xM1QxOTo1NjoxM1oifX19","signatures":[{"keyid":"","sig":"MEUCIHlB4gP+QOOEzLNAP2UR69hqRDngMTNxqAJdz1ggLS2FAiEA/rELWxVcpP1w24GSmrnnMGUmmzep9W5VL8mkUTCFT5o="}]}
mattmoor commented 2 years ago

@strongjz You need to pass the prefix stuff through verification as well. If you look at the tags that get pushed, instead of sha256-deadbeef.att you will see trivy-sha256-deadbeef.att IIRC

strongjz commented 2 years ago

Ill continue to look into it, the trivy scan is having issues with EOF

https://github.com/chainguard-dev/go-demo/runs/7328357425?check_suite_focus=true#step:11:486

strongjz commented 2 years ago

@mattmoor EOF is fixed, all 3 attestations are in one file.

strongjz commented 2 years ago

Works with distroless alpine base build 

 COSIGN_EXPERIMENTAL=true cosign verify-attestation ghcr.io/strongjz/alpine-base@sha256:2354df1a598007695ff09e259cc2083835e46c97aa83137a7f32599cabed34ed -o json 2>/dev/null
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3Z1bG4vdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hjci5pby9zdHJvbmdqei9hbHBpbmUtYmFzZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiIyMzU0ZGYxYTU5ODAwNzY5NWZmMDllMjU5Y2MyMDgzODM1ZTQ2Yzk3YWE4MzEzN2E3ZjMyNTk5Y2FiZWQzNGVkIn19XSwicHJlZGljYXRlIjp7Imludm9jYXRpb24iOnsicGFyYW1ldGVycyI6bnVsbCwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL3N0cm9uZ2p6L2FscGluZS1iYXNlL2FjdGlvbnMvcnVucy8yNjcxMDc1NDQ1IiwiZXZlbnRfaWQiOiIyNjcxMDc1NDQ1IiwiYnVpbGRlci5pZCI6IkNyZWF0ZSBSZWxlYXNlIn0sInNjYW5uZXIiOnsidXJpIjoiaHR0cHM6Ly9zdGF0aWMuc255ay5pby9jbGkvdjEuOTY2LjAvc255ay1saW51eCIsInZlcnNpb24iOiJ2MS45NjYuMCIsImRiIjp7InVyaSI6IiIsInZlcnNpb24iOiIifSwicmVzdWx0Ijp7ImRlcGVuZGVuY3lDb3VudCI6MjMsImRvY2tlciI6e30sImZpbGVzeXN0ZW1Qb2xpY3kiOmZhbHNlLCJpZ25vcmVTZXR0aW5ncyI6eyJhZG1pbk9ubHkiOmZhbHNlLCJkaXNyZWdhcmRGaWxlc3lzdGVtSWdub3JlcyI6ZmFsc2UsInJlYXNvblJlcXVpcmVkIjpmYWxzZX0sImlzUHJpdmF0ZSI6dHJ1ZSwibGljZW5zZXNQb2xpY3kiOnsib3JnTGljZW5zZVJ1bGVzIjp7IkFHUEwtMS4wIjp7Imluc3RydWN0aW9ucyI6IiIsImxpY2Vuc2VUeXBlIjoiQUdQTC0xLjAiLCJzZXZlcml0eSI6ImhpZ2gifSwiQUdQTC0zLjAiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJBR1BMLTMuMCIsInNldmVyaXR5IjoiaGlnaCJ9LCJBcnRpc3RpYy0xLjAiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJBcnRpc3RpYy0xLjAiLCJzZXZlcml0eSI6Im1lZGl1bSJ9LCJBcnRpc3RpYy0yLjAiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJBcnRpc3RpYy0yLjAiLCJzZXZlcml0eSI6Im1lZGl1bSJ9LCJDRERMLTEuMCI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6IkNEREwtMS4wIiwic2V2ZXJpdHkiOiJtZWRpdW0ifSwiQ1BPTC0xLjAyIjp7Imluc3RydWN0aW9ucyI6IiIsImxpY2Vuc2VUeXBlIjoiQ1BPTC0xLjAyIiwic2V2ZXJpdHkiOiJoaWdoIn0sIkVQTC0xLjAiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJFUEwtMS4wIiwic2V2ZXJpdHkiOiJtZWRpdW0ifSwiR1BMLTIuMCI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6IkdQTC0yLjAiLCJzZXZlcml0eSI6ImhpZ2gifSwiR1BMLTMuMCI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6IkdQTC0zLjAiLCJzZXZlcml0eSI6ImhpZ2gifSwiTEdQTC0yLjAiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJMR1BMLTIuMCIsInNldmVyaXR5IjoibWVkaXVtIn0sIkxHUEwtMi4xIjp7Imluc3RydWN0aW9ucyI6IiIsImxpY2Vuc2VUeXBlIjoiTEdQTC0yLjEiLCJzZXZlcml0eSI6Im1lZGl1bSJ9LCJMR1BMLTMuMCI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6IkxHUEwtMy4wIiwic2V2ZXJpdHkiOiJtZWRpdW0ifSwiTVBMLTEuMSI6eyJpbnN0cnVjdGlvbnMiOiIiLCJsaWNlbnNlVHlwZSI6Ik1QTC0xLjEiLCJzZXZlcml0eSI6Im1lZGl1bSJ9LCJNUEwtMi4wIjp7Imluc3RydWN0aW9ucyI6IiIsImxpY2Vuc2VUeXBlIjoiTVBMLTIuMCIsInNldmVyaXR5IjoibWVkaXVtIn0sIk1TLVJMIjp7Imluc3RydWN0aW9ucyI6IiIsImxpY2Vuc2VUeXBlIjoiTVMtUkwiLCJzZXZlcml0eSI6Im1lZGl1bSJ9LCJTaW1QTC0yLjAiOnsiaW5zdHJ1Y3Rpb25zIjoiIiwibGljZW5zZVR5cGUiOiJTaW1QTC0yLjAiLCJzZXZlcml0eSI6ImhpZ2gifX0sInNldmVyaXRpZXMiOnt9fSwib2siOnRydWUsIm9yZyI6InN0cm9uZ2p6LTZvMCIsInBhY2thZ2VNYW5hZ2VyIjoiYXBrIiwicGF0aCI6ImdoY3IuaW8vc3Ryb25nanovYWxwaW5lLWJhc2VAc2hhMjU2OjIzNTRkZjFhNTk4MDA3Njk1ZmYwOWUyNTljYzIwODM4MzVlNDZjOTdhYTgzMTM3YTdmMzI1OTljYWJlZDM0ZWQvc3Ryb25nanovYWxwaW5lLWJhc2UiLCJwbGF0Zm9ybSI6ImxpbnV4L2FtZDY0IiwicG9saWN5IjoiIyBTbnlrIChodHRwczovL3NueWsuaW8pIHBvbGljeSBmaWxlLCBwYXRjaGVzIG9yIGlnbm9yZXMga25vd24gdnVsbmVyYWJpbGl0aWVzLlxudmVyc2lvbjogdjEuMjUuMFxuaWdub3JlOiB7fVxucGF0Y2g6IHt9XG4iLCJwcm9qZWN0TmFtZSI6ImRvY2tlci1pbWFnZXxnaGNyLmlvL3N0cm9uZ2p6L2FscGluZS1iYXNlIiwic3VtbWFyeSI6Ik5vIGtub3duIHZ1bG5lcmFiaWxpdGllcyIsInVuaXF1ZUNvdW50IjowLCJ2dWxuZXJhYmlsaXRpZXMiOltdfX0sIm1ldGFkYXRhIjp7InNjYW5TdGFydGVkT24iOiIyMDIyLTA3LTE0VDE0OjM4OjM1WiIsInNjYW5GaW5pc2hlZE9uIjoiMjAyMi0wNy0xNFQxNDozODozOVoifX19","signatures":[{"keyid":"","sig":"MEUCIGlcFCAydEJloyFQNDzNNn9eTePdfQJtR9bYvwotTjroAiEA67sb7uoIXPt9vCpMjsEekfeJAG0nefTceXaqIevHiRQ="}]}
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3Z1bG4vdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hjci5pby9zdHJvbmdqei9hbHBpbmUtYmFzZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiIyMzU0ZGYxYTU5ODAwNzY5NWZmMDllMjU5Y2MyMDgzODM1ZTQ2Yzk3YWE4MzEzN2E3ZjMyNTk5Y2FiZWQzNGVkIn19XSwicHJlZGljYXRlIjp7Imludm9jYXRpb24iOnsicGFyYW1ldGVycyI6bnVsbCwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL3N0cm9uZ2p6L2FscGluZS1iYXNlL2FjdGlvbnMvcnVucy8yNjcxMDc1NDQ1IiwiZXZlbnRfaWQiOiIyNjcxMDc1NDQ1IiwiYnVpbGRlci5pZCI6IkNyZWF0ZSBSZWxlYXNlIn0sInNjYW5uZXIiOnsidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2FxdWFzZWN1cml0eS90cml2eSIsInZlcnNpb24iOiIwLjI5LjIiLCJkYiI6eyJ1cmkiOiIiLCJ2ZXJzaW9uIjoiIn0sInJlc3VsdCI6eyIkc2NoZW1hIjoiaHR0cHM6Ly9qc29uLnNjaGVtYXN0b3JlLm9yZy9zYXJpZi0yLjEuMC1ydG0uNS5qc29uIiwicnVucyI6W3siY29sdW1uS2luZCI6InV0ZjE2Q29kZVVuaXRzIiwib3JpZ2luYWxVcmlCYXNlSWRzIjp7IlJPT1RQQVRIIjp7InVyaSI6ImZpbGU6Ly8vIn19LCJyZXN1bHRzIjpbXSwidG9vbCI6eyJkcml2ZXIiOnsiZnVsbE5hbWUiOiJUcml2eSBWdWxuZXJhYmlsaXR5IFNjYW5uZXIiLCJpbmZvcm1hdGlvblVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hcXVhc2VjdXJpdHkvdHJpdnkiLCJuYW1lIjoiVHJpdnkiLCJydWxlcyI6W10sInZlcnNpb24iOiIwLjI5LjIifX19XSwidmVyc2lvbiI6IjIuMS4wIn19LCJtZXRhZGF0YSI6eyJzY2FuU3RhcnRlZE9uIjoiMjAyMi0wNy0xNFQxNDozODozNVoiLCJzY2FuRmluaXNoZWRPbiI6IjIwMjItMDctMTRUMTQ6Mzg6NDZaIn19fQ==","signatures":[{"keyid":"","sig":"MEUCIQDo3iVumULxjKlGMcIyxSrbOOJriwAtO/Wr1TurJOLdbAIgOvUVQ3Og/LzVWMrphCG6rtT4PkiB5wcbHnfRq4G/X9w="}]}
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3Z1bG4vdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hjci5pby9zdHJvbmdqei9hbHBpbmUtYmFzZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiIyMzU0ZGYxYTU5ODAwNzY5NWZmMDllMjU5Y2MyMDgzODM1ZTQ2Yzk3YWE4MzEzN2E3ZjMyNTk5Y2FiZWQzNGVkIn19XSwicHJlZGljYXRlIjp7Imludm9jYXRpb24iOnsicGFyYW1ldGVycyI6bnVsbCwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL3N0cm9uZ2p6L2FscGluZS1iYXNlL2FjdGlvbnMvcnVucy8yNjcxMDc1NDQ1IiwiZXZlbnRfaWQiOiIyNjcxMDc1NDQ1IiwiYnVpbGRlci5pZCI6IkNyZWF0ZSBSZWxlYXNlIn0sInNjYW5uZXIiOnsidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2FuY2hvcmUvZ3J5cGUiLCJ2ZXJzaW9uIjoiMC4zOC4wIiwiZGIiOnsidXJpIjoiIiwidmVyc2lvbiI6IiJ9LCJyZXN1bHQiOnsiJHNjaGVtYSI6Imh0dHBzOi8vanNvbi5zY2hlbWFzdG9yZS5vcmcvc2FyaWYtMi4xLjAtcnRtLjUuanNvbiIsInJ1bnMiOlt7InJlc3VsdHMiOltdLCJ0b29sIjp7ImRyaXZlciI6eyJpbmZvcm1hdGlvblVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hbmNob3JlL2dyeXBlIiwibmFtZSI6IkdyeXBlIiwidmVyc2lvbiI6IjAuMzguMCJ9fX1dLCJ2ZXJzaW9uIjoiMi4xLjAifX0sIm1ldGFkYXRhIjp7InNjYW5TdGFydGVkT24iOiIyMDIyLTA3LTE0VDE0OjM4OjM1WiIsInNjYW5GaW5pc2hlZE9uIjoiMjAyMi0wNy0xNFQxNDozODo1OVoifX19","signatures":[{"keyid":"","sig":"MEQCIDyjfTC+FfQC9OXlp+KKHVcWHDnz6HEKYC4lWUBneM1aAiBjf8TFraHXkWVSmScl2+xTXIcg0eX4POcP+I4aQ8WS/Q=="}]}