blueacidification
commented
6 days ago Seems like the issue is that it expects builder and buildtype outside of predicate, which worked for me. Even tho the official slsa provenance schema has it inside predicte https://slsa.dev/spec/v0.2/provenance#schema
Description
I generate my provenance.json file. When i execute cosign attest --yes --predicate provenance.json --type slsaprovenance --key cosign.key image:tag the command fails and says provenance predicate: required field builder missing.
I use a similar command for my sbom file and that works just fine.
{ "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [ { "name": "", "digest": { "sha256": "" } }], "predicate": { "builder": { "id": "mailto:@.al" }, "buildType": "https://mobyproject.org/buildkit@v1",
} }
This is the general outline of the file after generated from buildx.
Version
2.2.4