Support `predicateType`: Field `predicateType` Renamed to `predicate_type` in Statement Struct

[PuneetPunamiya]

We recently upgraded our dependency from github.com/in-toto/in-toto-golang/in_toto to github.com/in-toto/attestation/go/v1 . While migrating, we encountered a breaking change related to the predicateType field in the Statement struct.

In the previous version (github.com/in-toto/in-toto-golang/in_toto), the StatementHeader struct was defined as:

type StatementHeader struct {
    Type          string    `json:"_type"`
    PredicateType string    `json:"predicateType"`
    Subject       []Subject `json:"subject"`
}

In the new version github.com/in-toto/attestation/go/v1, the Statement struct is defined as:

type Statement struct {
    state         protoimpl.MessageState
    sizeCache     protoimpl.SizeCache
    unknownFields protoimpl.UnknownFields

    Type          string                `protobuf:"bytes,1,opt,name=type,json=_type,proto3" json:"type,omitempty"`
    Subject       []*ResourceDescriptor `protobuf:"bytes,2,rep,name=subject,proto3" json:"subject,omitempty"`
    PredicateType string                `protobuf:"bytes,3,opt,name=predicate_type,json=predicateType,proto3" json:"predicate_type,omitempty"`
    Predicate     *structpb.Struct      `protobuf:"bytes,4,opt,name=predicate,proto3" json:"predicate,omitempty"`
}

With this when we try to run the cosign verification command it throws an error as

osign verify-blob-attestation --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets --signature sig --type slsaprovenance --check-claims=false /dev/null   
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob attestation.
Error: invalid predicate type, expected slsaprovenance got 
main.go:74: error during command execution: invalid predicate type, expected slsaprovenance got 

Because the payload has predicate_type instead of predicateType

Reference links for chains update - https://github.com/tektoncd/chains/pull/1111/files#diff-44a01d12a6c7c8d0b69c0e0c1773b23312d82ee4de20166c37f75a66823a026fL3

[renzodavid9]

I think I see what's happening:

In the Statement struct:

type Statement struct {
    state         protoimpl.MessageState
    sizeCache     protoimpl.SizeCache
    unknownFields protoimpl.UnknownFields

    Type          string                `protobuf:"bytes,1,opt,name=type,json=_type,proto3" json:"type,omitempty"`
    Subject       []*ResourceDescriptor `protobuf:"bytes,2,rep,name=subject,proto3" json:"subject,omitempty"`
    PredicateType string                `protobuf:"bytes,3,opt,name=predicate_type,json=predicateType,proto3" json:"predicate_type,omitempty"`
    Predicate     *structpb.Struct      `protobuf:"bytes,4,opt,name=predicate,proto3" json:"predicate,omitempty"`
}

We can see the PredicateType has the tag json=predicateType,proto3. To be able to get the value in json with the label predicateType instead of predicate_type we should use protojson.Marshal (from google.golang.org/protobuf/encoding/protojson) instead of json.Marshal in https://github.com/tektoncd/chains/blob/dc4e8acf1421abb2ce2e9fae85394762452b75d9/pkg/chains/signing.go#L147-L176 so this is something that can be solve from Chains, I'm taking a look at it right now

[marcelamelara]

@PuneetPunamiya thanks for reporting. Yes, the in-toto-golang data structures are not compatible with the protobuf-generated ones. Thanks for transitioning to the Go bindings in this repo as we are in the process of deprecating the APIs in in-toto-golang.

I'm closing this issue since I see there's a closed PR related to this. Please let me know if this needs to be reopened.