Inspecting artifact attestations

Generally speaking, attestations are authenticated metadata about software artifacts. An identity (and their private cryptographic key) are required to create an attestation for a software artifact. The primary attestation that Konflux generates is the SLSA provenance which is produced by Tekton Chains. This provenance contains information from the PipelineRun that generated the attested artifact including input parameters for the Tasks as well as Task results.

To see the attestations, you need to find the image for a recently completed build pipeline and export that value to the IMAGE environment variable. Then you can start exploring the information stored in the attestations.

Exploring the provenance

Inspect the SLSA provenance

Tekton Chains produces a very detailed SLSA provenance. The output from the following provenance is over 2800 lines long!

$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson' | head
{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "subject": [
    {
      "name": "quay.io/redhat-user-workloads/rhtap-integration-tenant/oras-container/oras-container",
      "digest": {
        "sha256": "5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39"
      }
    },

Use tools like jq to further filter the provenance to identify smaller sets of relevant information.

Identify the build parameters

Since the SLSA provenance includes metadata about the input parameters, we can use it to view the parameters for the Tekton PipelineRun including its source repository!

$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate.invocation.parameters'
{
  "build-args-file": "",
  "build-source-image": "false",
  "dockerfile": "Containerfile",
  "git-url": "https://github.com/konflux-ci/oras-container",
  "hermetic": "false",
  "image-expires-after": "",
  "java": "false",
  "output-image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/oras-container/oras-container:477ee20f7e6d146ea203c4aaa0507f4d1e925a53",
  "path-context": ".",
  "prefetch-input": "",
  "rebuild": "false",
  "revision": "477ee20f7e6d146ea203c4aaa0507f4d1e925a53",
  "skip-checks": "false"
}

Frequently used commands

$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/log-url"'
https://your-konflux-instance.com/application-pipeline/ns/your-tenant/pipelinerun/some-image-123-on-push-abcdef

Extract a link to the source repo, at the commit that the build was built from:

$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations | ."pipelinesascode.tekton.dev/source-repo-url" + "/-/tree/" + ."pipelinesascode.tekton.dev/sha"'
https://github.com/your-org/your-repo/-/tree/021c682e1cbad87fea187051055b8259d356ed50

Extract a link to the commit itself, in the source repository:

$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations | ."pipelinesascode.tekton.dev/source-repo-url" + "/-/commit/" + ."pipelinesascode.tekton.dev/sha"'
https://github.com/your-org/your-repo/-/commit/021c682e1cbad87fea187051055b8259d356ed50