slsa-framework · laurentsimon · Mar 26, 2024 · Feb 29, 2024 · Mar 5, 2024 · Mar 6, 2024
@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - [Unreleased: Gradle Builder](#unreleased-gradle-builder)
   - [Unreleased: Go Builder](#unreleased-go-builder)
   - [Unreleased: Container Generator](#unreleased-container-generator)
+  - [Unreleased: DSSE Rekor type](#unreleased-dsse-rekor-type)
 - [v1.9.0](#v190)
   - [v1.9.0: BYOB framework (beta)](#v190-byob-framework-beta)
   - [v1.9.0: Maven builder (beta)](#v190-maven-builder-beta)
@@ -114,6 +115,13 @@ duplication."
 - A new `provenance-repository` input was added to allow reading provenance from
   a different container repository than the image itself (#2956)
 
+### Unreleased: DSSE Rekor Type
+
+- When uploading signed provenance to the log, the entry created in the log is now
+  a DSSE Rekor type. This fixes a bug where the current intoto type does not
+  persist provenance signatures. The attestation will no longer be persisted
+  in Rekor (#3299)
+
 ## v1.9.0
 
 Release [v1.9.0] includes bug fixes and new features.

@@ -80,7 +80,7 @@ func (r *Rekor) Upload(ctx context.Context, att signing.Attestation) (signing.Lo
 		return nil, fmt.Errorf("creating rekor client: %w", err)
 	}
 	// TODO: Is it a bug that we need []byte(string(k.Cert)) or else we hit invalid PEM?
-	logEntry, err := cosign.TLogUploadInTotoAttestation(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))
+	logEntry, err := cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))
 	if err != nil {
 		return nil, fmt.Errorf("uploading attestation: %w", err)
 	}