feat(attestation): in-toto 1.0 resource descriptor support

[migmartri]

Adds additional attestation renderer (v0.2) that drops the usage of custom material definitions and instead leverages in-toto 1.0 resource descriptors

Summarizing this new logic

• Uses the annotations map to add additional metadata such as the name and the type of the material
• Uses the name property instead of previously the URI. This is ok because we always use the digest as strong reference.
• For plain text cases (artifacts of type STRING) we inject the data in the content property, i.e "content": "YS1zdHJpbmc="

The difference in practice can be seen here

diff -u  attestation.output.v0.1.json attestation.output.v0.2.json
--- attestation.output.v0.1.json        2023-05-04 11:45:39.598283467 +0200
+++ attestation.output.v0.2.json        2023-05-04 16:06:02.013490886 +0200
@@ -1,6 +1,6 @@
 {
   "_type": "https://in-toto.io/Statement/v0.1",
-  "predicateType": "chainloop.dev/attestation/v0.1",
+  "predicateType": "chainloop.dev/attestation/v0.2",
   "subject": [
     {
       "name": "chainloop.dev/workflow/foo",
@@ -27,46 +27,40 @@
     },
     "materials": [
       {
-        "name": "build-ref",
-        "type": "STRING",
-        "material": {
-          "stringVal": "a-string"
+        "content": "YS1zdHJpbmc=",
+        "annotations": {
+          "chainloop.material.name": "build-ref",
+          "chainloop.material.type": "STRING"
         }
       },
       {
-        "name": "rootfs",
-        "type": "ARTIFACT",
-        "material": {
-          "slsa": {
-            "uri": "Makefile",
-            "digest": {
-              "sha256": "cfc7d8e24d21ade921d720228ad1693de59dab45ff679606940be75b7bf660dc"
-            }
-          }
+        "digest": {
+          "sha256": "cfc7d8e24d21ade921d720228ad1693de59dab45ff679606940be75b7bf660dc"
+        },
+        "name": "Makefile",
+        "annotations": {
+          "chainloop.material.name": "rootfs",
+          "chainloop.material.type": "ARTIFACT"
         }
       },
       {
-        "name": "skynet-control-plane",
-        "type": "CONTAINER_IMAGE",
-        "material": {
-          "slsa": {
-            "uri": "index.docker.io/bitnami/nginx",
-            "digest": {
-              "sha256": "580ac09da7771920dfd0c214964e7bfe4c27903bcbe075769a4044a67c9a390a"
-            }
-          }
+        "digest": {
+          "sha256": "580ac09da7771920dfd0c214964e7bfe4c27903bcbe075769a4044a67c9a390a"
+        },
+        "name": "index.docker.io/bitnami/nginx",
+        "annotations": {
+          "chainloop.material.name": "skynet-control-plane",
+          "chainloop.material.type": "CONTAINER_IMAGE"
         }
       },
       {
-        "name": "skynet-sbom",
-        "type": "SBOM_CYCLONEDX_JSON",
-        "material": {
-          "slsa": {
-            "uri": "sbom.cyclonedx.json",
-            "digest": {
-              "sha256": "16159bb881eb4ab7eb5d8afc5350b0feeed1e31c0a268e355e74f9ccbe885e0c"
-            }
-          }
+        "digest": {
+          "sha256": "16159bb881eb4ab7eb5d8afc5350b0feeed1e31c0a268e355e74f9ccbe885e0c"
+        },
+        "name": "sbom.cyclonedx.json",
+        "annotations": {
+          "chainloop.material.name": "skynet-sbom",
+          "chainloop.material.type": "SBOM_CYCLONEDX_JSON"
         }
       }
     ],
@@ -76,4 +70,4 @@
     "buildType": "chainloop.dev/workflowrun/v0.1",
     "runnerType": "GITHUB_ACTION"
   }
-}
+}

You can find a newly generated in-toto statement here

NOTE: This renderer is not enabled by default yet since nor the backend nor the CLI consumers are ready to parse the new format. A future patch will prepare such consumers to work with both formats and enable v0.2 by default while deprecating v0.1.

cc/ @adityasaky JFYI and in case you can spot an improper use of the resourceDescriptor properties.

Refs #60