Trying to attest an OCI chart ends up discovering an STRING material type, but it should be HELM_CHART instead.
Running it in debug mode:
> cl att add --value ghcr.io/chainloop-dev/charts:latest --debug --token $(cat token.txt )
DBG Telemetry enabled, to disable it use DO_NOT_TRACK=1
DBG loading state state=file:///var/folders/ls/cv3k03v57ns18mmwjjbgy8z00000gn/T/chainloop-attestation.tmp.json
DBG loaded state state=file:///var/folders/ls/cv3k03v57ns18mmwjjbgy8z00000gn/T/chainloop-attestation.tmp.json
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=OPENVEX
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=SBOM_CYCLONEDX_JSON
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=SBOM_SPDX_JSON
DBG decoding CSAF file path=ghcr.io/chainloop-dev/charts:latest
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory - unexpected material type" kind=CSAF_VEX
DBG decoding CSAF file path=ghcr.io/chainloop-dev/charts:latest
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory - unexpected material type" kind=CSAF_INFORMATIONAL_ADVISORY
DBG decoding CSAF file path=ghcr.io/chainloop-dev/charts:latest
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory - unexpected material type" kind=CSAF_SECURITY_ADVISORY
DBG decoding CSAF file path=ghcr.io/chainloop-dev/charts:latest
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory - unexpected material type" kind=CSAF_SECURITY_INCIDENT_RESPONSE
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=JUNIT_XML
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=HELM_CHART
DBG retrieving container image digest from remote name=ghcr.io/chainloop-dev/charts:latest
DBG failed to add material error="crafting material: GET https://ghcr.io/token?scope=repository%3Achainloop-dev%2Fcharts%3Apull&service=ghcr.io: DENIED: requested access to the resource is denied" kind=CONTAINER_IMAGE
DBG decoding SARIF file path=ghcr.io/chainloop-dev/charts:latest
DBG error decoding file error="the provided file path doesn't have a file"
DBG failed to add material error="crafting material: invalid SARIF file: unexpected material type" kind=SARIF
DBG failed to add material error="crafting material: artifact file cannot be read: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=ATTESTATION
DBG failed to add material error="crafting material: getting file stats: stat ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=ARTIFACT
DBG added to state key=material-1717598767208318000
INF material kind detected kind=STRING
INF material added to attestation
The reason being on this behavior is the fact that the Chart crafter does not try to download anything instead, it tries to validate what's found on the system.
Trying to attest an OCI chart ends up discovering an
STRING
material type, but it should beHELM_CHART
instead. Running it in debug mode: