diff --git a/CHANGELOG.md b/CHANGELOG.md index 26b4b7c11b..251236f034 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 +- [Unreleased](#unreleased) + - [Unreleased: DSSE Rekor Type](#unreleased-dsse-rekor-type) - [v1.10.0](#v1100) - [v1.10.0: TUF fix](#v1100-tuf-fix) - [v1.10.0: Gradle Builder](#v1100-gradle-builder) @@ -98,9 +100,18 @@ Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name duplication." --> +## Unreleased + +### Unreleased: DSSE Rekor Type + +- When uploading signed provenance to the log, the entry created in the log is now + a DSSE Rekor type. This fixes a bug where the current intoto type does not + persist provenance signatures. The attestation will no longer be persisted + in Rekor (#3299) + ## v1.10.0 -Release [v1.10.0] includes bug fixes and new features. +Release [v1.10.0](https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.10.0) includes bug fixes and new features. See the [full change list](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0). diff --git a/signing/sigstore/rekor.go b/signing/sigstore/rekor.go index fed2f8e4a7..0dd2bc2c69 100644 --- a/signing/sigstore/rekor.go +++ b/signing/sigstore/rekor.go @@ -80,7 +80,7 @@ func (r *Rekor) Upload(ctx context.Context, att signing.Attestation) (signing.Lo return nil, fmt.Errorf("creating rekor client: %w", err) } // TODO: Is it a bug that we need []byte(string(k.Cert)) or else we hit invalid PEM? - logEntry, err := cosign.TLogUploadInTotoAttestation(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert()))) + logEntry, err := cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert()))) if err != nil { return nil, fmt.Errorf("uploading attestation: %w", err) }