Inspecting artifact attestations
Generally speaking, attestations are authenticated metadata about software artifacts. An identity (and their private cryptographic key) are required to create an attestation for a software artifact. The primary attestation that Konflux generates is the SLSA provenance which is produced by Tekton Chains. This provenance contains information from the PipelineRun that generated the attested artifact including input parameters for the Tasks as well as Task results.
To see the attestations, you need to find the image for a recently completed build pipeline and export that value to the IMAGE environment variable. Then you can start exploring the information stored in the attestations.
Inspect the SLSA provenance
Tekton Chains produces a very detailed SLSA provenance. The output from the following provenance is over 2800 lines long!
$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson' | head
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "quay.io/redhat-user-workloads/rhtap-integration-tenant/oras-container/oras-container",
"digest": {
"sha256": "5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39"
}
},Use tools like jq to further filter the provenance to identify smaller sets of relevant information.
Identify the build parameters
Since the SLSA provenance includes metadata about the input parameters, we can use it to view the parameters for the Tekton PipelineRun including its source repository!
$ cosign download attestation $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate.invocation.parameters'
{
"build-args-file": "",
"build-source-image": "false",
"dockerfile": "Containerfile",
"git-url": "https://github.com/konflux-ci/oras-container",
"hermetic": "false",
"image-expires-after": "",
"java": "false",
"output-image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/oras-container/oras-container:477ee20f7e6d146ea203c4aaa0507f4d1e925a53",
"path-context": ".",
"prefetch-input": "",
"rebuild": "false",
"revision": "477ee20f7e6d146ea203c4aaa0507f4d1e925a53",
"skip-checks": "false"
}