README
¶
attestation
Parses a sigstore bundle's DSSE envelope and the in-toto statement inside it, returning the SLSA Provenance v1 identity fields (predicate type, builder, source repository, source revision, signer identity).
Cross-ecosystem: npm, PyPI (trusted publishing), Maven Central, Cargo, and GitHub artifact attestations all emit the same DSSE-wrapped in-toto statement. One parser serves all of them.
Install
go get github.com/git-pkgs/attestation
Usage
att, err := attestation.Parse(bundleBytes)
if err != nil { return err }
if att == nil { return nil } // not a SLSA Provenance v1 statement
fmt.Println(att.BuilderID, att.SourceRepository, att.SourceRevision)
Parse returns (nil, nil) for an empty body or a bundle whose DSSE payload is empty (some sigstore bundles carry non-SLSA predicates that this parser intentionally ignores). It errors only on malformed DSSE / in-toto JSON.
What's in the bundle, what's NOT verified
Parse extracts identity fields. It does not verify the signature, certificate chain, or transparency-log inclusion proof. Pair with a separate verifier:
go get github.com/git-pkgs/sigstore-verifier
The split is deliberate: parsing identity is stdlib-only and useful in contexts where you just want to record what was claimed (SBOMs, audit logs, summary reports). Verification adds a heavier dependency tree (sigstore-go, TUF) and isn't always needed.
Stdlib only
This package imports nothing beyond Go's standard library. No project-specific types, no third-party deps.
License
MIT
Documentation
¶
Overview ¶
Package attestation parses a sigstore bundle's DSSE envelope and the in-toto statement inside it, returning the SLSA Provenance v1 identity fields (predicate type, builder, source repo, source revision, signer identity).
The package has no dependencies outside the standard library. It's intentionally self-contained so it can lift out to its own module without dragging pin-specific types along; the npm and forge source paths each map the parsed result into their own Attestation shape.
Parse extracts identity fields only. It does NOT verify the signature, certificate chain, or transparency-log inclusion proof — that's the job of a separate verifier (e.g., sigstore-go).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Attestation ¶
type Attestation struct {
// PredicateType is the in-toto statement's predicate type URI,
// "https://slsa.dev/provenance/v1" for SLSA Provenance v1.
PredicateType string
// BuilderID is runDetails.builder.id — the canonical identity of
// the builder that produced the artifact. For GitHub-Actions builds
// this is the workflow URI with @refs/tags/<tag>.
BuilderID string
// SourceRepository is the git+https URL the build was driven from,
// with the git+ prefix and trailing .git/@refs suffix stripped.
SourceRepository string
// SourceRevision is the commit SHA from the build's first
// resolvedDependencies entry that carries a sha1 or gitCommit digest.
SourceRevision string
// SignerIdentity is the Fulcio certificate's subject — either its
// first URI SAN (the OIDC identity that was bound at signing time)
// or its first email SAN if no URIs are present.
SignerIdentity string
}
Attestation is the identity-side projection of a SLSA Provenance v1 statement carried inside a sigstore bundle. Field names follow the SLSA v1 vocabulary; the parser populates whichever fields the statement carries and leaves the rest as zero values.
func Parse ¶
func Parse(body []byte) (*Attestation, error)
Parse decodes a sigstore bundle body and returns the SLSA Provenance v1 identity fields it claims. Returns (nil, nil) for an empty body or for a bundle whose DSSE payload is empty (the latter happens for non-provenance bundles that share the sigstore shape). Errors on malformed DSSE / in-toto JSON.
Source Files