A size-efficient description of any software artifact or resource (mutable or immutable).
{
"name": "<NAME>",
"uri": "<RESOURCE URI>",
"digest": { "<ALGORITHM>": "<HEX VALUE>", ... },
"content": "<BASE64 VALUE>", // converted from bytes for JSON
"downloadLocation": "<RESOURCE URI>",
"mediaType": "<MIME TYPE>",
"annotations": {
"<FIELD_1>": /* value */,
"<FIELD_2>": /* value */,
...
}
}
Though all fields are optional, a ResourceDescriptor MUST specify one of uri
,
digest
or content
at a minimum. Further, a context that uses the
ResourceDescriptor can require one or more fields. For example, a predicate may
require the name
and digest
fields. Note that those requirements cannot
override the minimum requirement of one of uri
, digest
, or content
specified here.
name
string, optional
Machine-readable identifier for distinguishing between descriptors.
The semantics are up to the producer and consumer. The
name
SHOULD be stable, such as a filename, to allow consumers to reliably use thename
as part of their policy.
uri
ResourceURI, optional
A URI used to identify the resource or artifact globally. This field is REQUIRED unless either
digest
orcontent
is set.
digest
DigestSet, optional
A set of cryptographic digests of the contents of the resource or artifact. This field is REQUIRED unless either
uri
orcontent
is set.When known, the producer SHOULD set this field to denote an immutable artifact or resource. The producer and consumer SHOULD agree on acceptable algorithms.
content
bytes, optional
The contents of the resource or artifact. This field is REQUIRED unless either
uri
ordigest
is set.The producer MAY use this field in scenarios where including the contents of the resource/artifact directly in the attestation is deemed more efficient for consumers than providing a pointer to another location. To maintain size efficiency, the size of
content
SHOULD be less than 1KB.The semantics are up to the producer and consumer. The
uri
ormediaType
MAY be used by the producer as hints for how consumers should parsecontent
.
downloadLocation
ResourceURI, optional
The location of the described resource or artifact, if different from the
uri
.To enable automated downloads by consumers, the specified location SHOULD be resolvable.
mediaType
string, optional
The MIME Type (i.e., media type) of the described resource or artifact.
For resources or artifacts that do not have a standardized MIME type, producers SHOULD follow RFC 6838 (Sections 3.2-3.4) conventions of prefixing types with
x.
,prs.
, orvnd.
to avoid collisions with other producers.
annotations
map <string, value>, optional
This field MAY be used to provide additional information or metadata about the resource or artifact that may be useful to the consumer when evaluating the attestation against a policy.
For maximum flexibility annotations may be any mapping from a field name to any JSON value (string, number, object, array, boolean or null).
The producer and consumer SHOULD agree on the semantics, and acceptable fields and values in the
annotations
map. Producers SHOULD follow the same naming conventions for annotation fields as for extension fields.
Though the ResourceDescriptor allows for a high degree of flexibility, certain field combinations typically have specific semantics. For consistency, we RECOMMEND the following:
- A descriptor that specifies a
digest
is assumed to refer to an immutable resource or artifact. Thedigest
SHOULD match the resource or artifact specified in one of thename
,uri
,content
ordownloadLocation
fields. The field that consumers are expected to match thedigest
against is ultimately determined by the predicate type, and SHOULD be documented by the predicate specification. - A descriptor without a
content
field, is assumed to serve as a pointer to the resource/artifact. - When
uri
andname
are specified, the scope ofname
is assumed to be local to the attestation. Thename
SHOULD be compared to theuri
to match the descriptor against the resource or artifact referenced universally.
Pointer to a file:
{
"name": "Foo.apk",
"uri": "git+https://android.googlesource.com/platform/vendor/foo/bar@16244f4e7524d44a8f3060905eaf9190e96e9fb0#prebuilts/Foo/Foo.apk",
"digest": { "sha256": "7f4714fd..." }
}
Pointer to a git repo (with annotations):
{
"uri": "git+https://github.com/actions/runner",
"digest": { "sha1": "d61b27b8395512..." },
"annotations": { "twoPartyReview": false }
}
Pointer to another in-toto attestation:
{
"name": "gcc_9.3.0-1ubuntu2_amd64.intoto.json",
"digest": { "sha256": "abcdabcde..." },
"downloadLocation": "http://example.com/rebuilderd-instance/gcc_9.3.0-1ubuntu2_amd64.intoto.json",
"mediaType": "application/x.dsse+json"
}
Pointer to build service:
{
"uri": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v1"
}
Descriptor for Tekton TaskRun:
{
"uri": "https://tekton.dev/TaskRun/check/result/report",
"digest": {
"sha256": "ec87961dbfe8e7d8a73890c602ac7bd407b80b9e31c326beb9110bdd255f12e6"
},
"content": "eyAicmVzdWx0IjogIlNVQ0NFU1MiLCAidGltZXN0YW1wIjogIjE2Nzc4NzIyMzYiLCAic3VjY2Vzc2VzIjogMjIsICJmYWlsdXJlcyI6IDAsICJ3YXJuaW5ncyI6MCB9",
"mediaType": "application/json"
}