v1.0.0
v1.0 Release
Our first major release introduces new primitives, basic tooling and guidelines for contributing new predicates types. We also made significant updates to the DigestSet type and extension fields.
What's New
- Guidelines for contributing new predicates
- Attestation Bundle layer: A collection of multiple attestations in a single file.
- Resource Descriptor type: A size-efficient description of any software artifact or resource (mutable or immutable).
- Protobuf definitions: Language-independent definitions of attestation Statement and select predicates.
- Golang library and example app
DISCLAIMER: The protobuf definitions and Golang bindings will not be considered stable until the v1.1 tagged release. Use at your own risk.
Updates
- Add
dirHash1,gitCommit,gitTree, etc. to the list of pre-defined algorithms for DigestSet - Specify lowercase-hex encoding for standard algorithms only
- Relax requirements for Statement subject
name - Updated rules for extension fields and unrecognized fields
- Documentation updates
New Predicate Types
Since v0.1, we have added three predicate types to our catalog. Please note that predicates are versioned independently from the in-toto attestation spec.
- Supply Chain Attribute Integrity (SCAI): Evidence-based assertions about software artifact and supply chain attributes or behavior.
- Runtime Traces: Captures runtime traces of software supply chain operations.
- SLSA Verification Summary (VSA): SLSA verification decision about a software artifact.
Thanks
Thank you to all contributors to this release!
Full Changelog: v0.1.0...v1.0