Inspecting artifact attestations
Generally speaking, attestations are authenticated metadata about software artifacts. An identity (and their private cryptographic key) are required to create an attestation for a software artifact. The primary attestation that Konflux generates is the SLSA provenance which is produced by Tekton Chains. This provenance contains information from the PipelineRun that generated the attested artifact including input parameters for the Tasks as well as Task results.
To see the attestations, you need to find the image for a recently completed build pipeline and export that value to the IMAGE environment variable. Then you can start exploring the information stored in the attestations.
Exploring the provenance
Inspect the SLSA provenance
Tekton Chains produces a very detailed SLSA provenance. The output from the following provenance is over 2800 lines long!
$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson' | head
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "quay.io/redhat-user-workloads/rhtap-integration-tenant/oras-container/oras-container",
"digest": {
"sha256": "5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39"
}
},
Use tools like jq
to further filter the provenance to identify smaller sets of relevant information.
Identify the build parameters
Since the SLSA provenance includes metadata about the input parameters, we can use it to view the parameters for the Tekton PipelineRun including its source repository!
$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate.invocation.parameters'
{
"build-args-file": "",
"build-source-image": "false",
"dockerfile": "Containerfile",
"git-url": "https://github.com/konflux-ci/oras-container",
"hermetic": "false",
"image-expires-after": "",
"java": "false",
"output-image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/oras-container/oras-container:477ee20f7e6d146ea203c4aaa0507f4d1e925a53",
"path-context": ".",
"prefetch-input": "",
"rebuild": "false",
"revision": "477ee20f7e6d146ea203c4aaa0507f4d1e925a53",
"skip-checks": "false"
}
Frequently used commands
Extract a link to the build logs
$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/log-url"'
https://your-konflux-instance.com/application-pipeline/ns/your-tenant/pipelinerun/some-image-123-on-push-abcdef
Extract a link to the source repo
Extract a link to the source repo, at the commit that the build was built from:
$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations | ."pipelinesascode.tekton.dev/source-repo-url" + "/-/tree/" + ."pipelinesascode.tekton.dev/sha"'
https://github.com/your-org/your-repo/-/tree/021c682e1cbad87fea187051055b8259d356ed50
Extract a link to the commit itself
Extract a link to the commit itself, in the source repository:
$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations | ."pipelinesascode.tekton.dev/source-repo-url" + "/-/commit/" + ."pipelinesascode.tekton.dev/sha"'
https://github.com/your-org/your-repo/-/commit/021c682e1cbad87fea187051055b8259d356ed50