search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.53k stars 546 forks source link

main.go:74: error during command execution: signing **image:tag**: provenance predicate: required field builder missing #3757

Open blueacidification opened 4 months ago

blueacidification commented 4 months ago

Description

I generate my provenance.json file. When i execute cosign attest --yes --predicate provenance.json --type slsaprovenance --key cosign.key image:tag the command fails and says provenance predicate: required field builder missing.

I use a similar command for my sbom file and that works just fine.

{ "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [ { "name": "", "digest": { "sha256": "" } }], "predicate": { "builder": { "id": "mailto:@.al" }, "buildType": "https://mobyproject.org/buildkit@v1",

} }

This is the general outline of the file after generated from buildx.

Version

2.2.4

blueacidification commented 4 months ago

Seems like the issue is that it expects builder and buildtype outside of predicate, which worked for me. Even tho the official slsa provenance schema has it inside predicte https://slsa.dev/spec/v0.2/provenance#schema