add more test cases

Author: wolfv

src/bundle/dsse.rs

@@ -145,6 +145,17 @@ impl DsseEnvelope {
     pub fn signatures(&self) -> &[DsseSignature] {
         &self.0.signatures
     }
+
+    /// Decodes and parses the payload as an in-toto Statement.
+    ///
+    /// This is a convenience method for DSSE envelopes containing in-toto attestations.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the payload is not valid UTF-8 or cannot be parsed as a Statement.
+    pub fn decode_statement(&self) -> Result<Statement, serde_json::Error> {
+        serde_json::from_slice(&self.0.payload)
+    }
 }
 
 #[cfg(test)]
@@ -278,4 +289,57 @@ mod tests {
         let inner = envelope.into_inner();
         assert_eq!(inner.payload_type, "test");
     }
+
+    #[test]
+    fn test_decode_statement() {
+        let original_statement = StatementBuilder::new()
+            .subject(Subject::new("myapp.tar.gz", "sha256", "deadbeef"))
+            .predicate_type("https://slsa.dev/provenance/v1")
+            .predicate(json!({
+                "buildType": "https://example.com/build",
+                "builder": {"id": "https://example.com/builder"}
+            }))
+            .build()
+            .unwrap();
+
+        let envelope = DsseEnvelope::from_statement(&original_statement).unwrap();
+
+        // Decode the statement back
+        let decoded_statement = envelope.decode_statement().unwrap();
+
+        // Verify it matches the original
+        assert_eq!(
+            decoded_statement.statement_type,
+            original_statement.statement_type
+        );
+        assert_eq!(
+            decoded_statement.predicate_type,
+            original_statement.predicate_type
+        );
+        assert_eq!(decoded_statement.subject.len(), 1);
+        assert_eq!(decoded_statement.subject[0].name, "myapp.tar.gz");
+        assert_eq!(
+            decoded_statement.subject[0].digest.get("sha256"),
+            Some(&"deadbeef".to_string())
+        );
+    }
+
+    #[test]
+    fn test_decode_statement_v0_1() {
+        // Test that we can decode v0.1 statements
+        let v0_1_statement = StatementBuilder::new()
+            .subject(Subject::new("test.tar.gz", "sha256", "abc123"))
+            .predicate_type("https://slsa.dev/provenance/v0.2")
+            .predicate(json!({"buildType": "test"}))
+            .build_v0_1()
+            .unwrap();
+
+        let envelope = DsseEnvelope::from_statement(&v0_1_statement).unwrap();
+        let decoded = envelope.decode_statement().unwrap();
+
+        assert_eq!(
+            decoded.statement_type,
+            crate::bundle::intoto::STATEMENT_TYPE_V0_1
+        );
+    }
 }

src/bundle/intoto.rs

@@ -14,27 +14,32 @@
 
 //! In-toto attestation statement support for creating DSSE bundles.
 //!
-//! This module provides a builder API for creating in-toto Statement v0.1 attestations
+//! This module provides a builder API for creating in-toto Statement attestations
 //! that can be signed and wrapped in DSSE envelopes.
 //!
-//! Note: This implements the v0.1 specification, which is currently used by cosign and Rekor.
-//! See: <https://github.com/in-toto/attestation/blob/main/spec/v0.1.0/statement.md>
+//! Supports both v0.1 and v1 statement formats:
+//! - v0.1: <https://github.com/in-toto/attestation/blob/main/spec/v0.1.0/statement.md>
+//! - v1: <https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md>
 
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 
 /// The in-toto Statement v0.1 type identifier.
-/// Note: v0.1 is the currently used version by cosign and Rekor, not v1.
-pub const STATEMENT_TYPE_V1: &str = "https://in-toto.io/Statement/v0.1";
+/// Used by older Sigstore implementations and some legacy bundles.
+pub const STATEMENT_TYPE_V0_1: &str = "https://in-toto.io/Statement/v0.1";
 
-/// An in-toto Statement v0.1 attestation.
+/// The in-toto Statement v1 type identifier.
+/// Used by current Sigstore implementations including GitHub Actions.
+pub const STATEMENT_TYPE_V1: &str = "https://in-toto.io/Statement/v1";
+
+/// An in-toto Statement attestation.
 ///
 /// This represents a verifiable claim about one or more software artifacts.
-/// Note: This uses the v0.1 specification which is currently used by cosign and Rekor.
+/// Supports both v0.1 and v1 statement formats.
 /// Field order matches the canonical JSON serialization used by cosign.
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
 pub struct Statement {
-    /// The statement type (always "<https://in-toto.io/Statement/v0.1>")
+    /// The statement type (either "https://in-toto.io/Statement/v0.1" or "https://in-toto.io/Statement/v1")
     #[serde(rename = "_type")]
     pub statement_type: String,
 
@@ -145,10 +150,24 @@ impl StatementBuilder {
         self
     }
 
-    /// Builds the statement.
+    /// Builds the statement using the v1 format.
     ///
     /// Returns an error if required fields are missing.
     pub fn build(self) -> Result<Statement, &'static str> {
+        self.build_with_version(STATEMENT_TYPE_V1)
+    }
+
+    /// Builds the statement using the v0.1 format (for backward compatibility).
+    ///
+    /// Returns an error if required fields are missing.
+    pub fn build_v0_1(self) -> Result<Statement, &'static str> {
+        self.build_with_version(STATEMENT_TYPE_V0_1)
+    }
+
+    /// Builds the statement with a specific version.
+    ///
+    /// Returns an error if required fields are missing.
+    fn build_with_version(self, version: &str) -> Result<Statement, &'static str> {
         if self.subjects.is_empty() {
             return Err("Statement must have at least one subject");
         }
@@ -160,7 +179,7 @@ impl StatementBuilder {
         let predicate = self.predicate.ok_or("Statement must have a predicate")?;
 
         Ok(Statement {
-            statement_type: STATEMENT_TYPE_V1.to_string(),
+            statement_type: version.to_string(),
             predicate_type,
             subject: self.subjects,
             predicate,
@@ -256,4 +275,49 @@ mod tests {
         assert_eq!(parsed.statement_type, STATEMENT_TYPE_V1);
         assert_eq!(parsed.subject[0].name, "test.tar.gz");
     }
+
+    #[test]
+    fn test_statement_v0_1_compatibility() {
+        // Test that we can create and parse v0.1 statements
+        let statement = StatementBuilder::new()
+            .subject(Subject::new("test.tar.gz", "sha256", "abc123"))
+            .predicate_type("https://slsa.dev/provenance/v0.2")
+            .predicate(json!({
+                "buildType": "test"
+            }))
+            .build_v0_1()
+            .unwrap();
+
+        assert_eq!(statement.statement_type, STATEMENT_TYPE_V0_1);
+
+        // Test that we can round-trip v0.1 statements
+        let json = serde_json::to_string(&statement).unwrap();
+        let parsed: Statement = serde_json::from_str(&json).unwrap();
+
+        assert_eq!(parsed.statement_type, STATEMENT_TYPE_V0_1);
+        assert_eq!(parsed.subject[0].name, "test.tar.gz");
+    }
+
+    #[test]
+    fn test_statement_accepts_both_versions() {
+        // Test parsing a v0.1 statement
+        let v0_1_json = r#"{
+            "_type": "https://in-toto.io/Statement/v0.1",
+            "subject": [{"name": "test", "digest": {"sha256": "abc123"}}],
+            "predicateType": "https://example.com/test",
+            "predicate": {}
+        }"#;
+        let v0_1: Statement = serde_json::from_str(v0_1_json).unwrap();
+        assert_eq!(v0_1.statement_type, STATEMENT_TYPE_V0_1);
+
+        // Test parsing a v1 statement
+        let v1_json = r#"{
+            "_type": "https://in-toto.io/Statement/v1",
+            "subject": [{"name": "test", "digest": {"sha256": "abc123"}}],
+            "predicateType": "https://example.com/test",
+            "predicate": {}
+        }"#;
+        let v1: Statement = serde_json::from_str(v1_json).unwrap();
+        assert_eq!(v1.statement_type, STATEMENT_TYPE_V1);
+    }
 }

tests/data/dsse/dsse-2sigs.sigstore.json

@@ -0,0 +1,52 @@
+{
+	"mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+	"verificationMaterial": {
+		"tlogEntries": [
+			{
+				"logIndex": "6800908",
+				"logId": {
+					"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+				},
+				"kindVersion": {
+					"kind": "intoto",
+					"version": "0.0.2"
+				},
+				"integratedTime": "1668034836",
+				"inclusionPromise": {
+					"signedEntryTimestamp": "MEYCIQCEx8HKsx9hobZjrNqHCSEJvjMEhc2wU2mUwkI7ButQHAIhAPevmw7piNjE2N1OWHmp9S5kBvlVIg93qu4i9yRaswur"
+				},
+				"canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU51ZWtORFFXbGhaMEYzU1VKQlowbFZRbTV0V2xKMFpHdFBkR1pQTDB4NVp6UXpOVU5TSzFaSmFTdEJkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BKZUUxVVFUVk5hazEzVFVSTk1WZG9ZMDVOYWtsNFRWUkJOVTFxVFhoTlJFMHhWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWbFZVVTJUM2d2TkRFMFN6QmtRbmd6WXpOWEszUlJOMDVVVTJ4SlZsWXlORmxUWWtJS2JEWldlWFZKVmk5cE1UVkxRMnhUYWxWdk1uRlJkVXRUVlRSRmVtMUlaaklyUlUxcUwxbElXVWhsUWtGRWEwUjRhalpQUTBGVlZYZG5aMFpDVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZVdlZrZERDbFZJVmxnMVlsaG9aWFF5TVdsMFltbzFWM1pvV25GQmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQwaDNXVVJXVWpCU1FWRklMMEpDVlhkRk5FVlNXVzVLY0ZsWE5VRmFSMVp2V1ZjeGJHTnBOV3BpTWpCM1RFRlpTMHQzV1VKQ1FVZEVkbnBCUWdwQlVWRmxZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRESjRkbG95YkhWTU1qbG9aRmhTYjAxSlIwdENaMjl5UW1kRlJVRmtXalZCWjFGRENrSklkMFZsWjBJMFFVaFpRVE5VTUhkaGMySklSVlJLYWtkU05HTnRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIUlZod0t6RUtXRkZCUVVKQlRVRlNla0pHUVdsRlFXdGtTVFk1TkM4NFFqSnlUMlJwZVZsUWJFVnVZMlpTZDJ0MVltOWtUMW8wYW14dE5HYzFNamcxVEd0RFNVaFNjQXB0UjJnMGNEVlBZeXRXYXl0QlMwaE5aSFF3Vm5SRU1pOHJZMkZJVjNsbE1WWnhSRFJ5UjJORFRVRnZSME5EY1VkVFRUUTVRa0ZOUkVFeVkwRk5SMUZEQ2sxQmVVczRkRkUxYlZCRFEybE1hbWxKYzFaelNWcFFXWFpvZGtSU00wUkdiR2sxUVZGNmFsTkRlbU5GVXk5b05XWkNNMGR3WlVSa1FrOTFPWFIxYTJFS2IzZEpkMDVyYjBWWldraFBkR3RoWTB4bGNrdzFNbVZaVTNCV2FtWlljMEV3WjBKTmNVRnViVXhIZDFoMGVtdFdTM0Z4ZWxWdFlscG9RM1k0YlRnMVlncG1kVWxTQ2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIiwic2lnIjoiVFVWVlEwbEdZeTlDZVV4b1EydFNNbGwwUVUxaWJVcHdNakF5V20xYU5GaFdSMWhHUzJrM2NpdHhOMnh6VGtSUVFXbEZRUzlLZDFneVVHbHNRMHgyYTNGRk9VNUtUVVpMVG00eVF6SnFPR05JTDNwNVJtaFJOalYzY21reVNGazkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiNjZiM2RjZmNhNjU5ZTVkNTA1NjAyYzNjOWFmOGZkMmJmNmE0YWZhY2FjMzNiMTc1ZTFkN2UwZWNhYjEwZjg5MCJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjhhNzVmNmM4ZGM0ZDlmNDA3Mjg1YmI0OWQzZTAxOWE1ZTY2NmY0MzQ5OWMyNzA3ZDkyODlhYTI3YzNjMmE2N2UifX19fQ=="
+			}
+		],
+		"timestampVerificationData": {
+			"rfc3161Timestamps": []
+		},
+		"x509CertificateChain": {
+			"certificates": [
+				{
+					"rawBytes": "MIICnzCCAiagAwIBAgIUBnmZRtdkOtfO/Lyg435CR+VIi+AwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjIxMTA5MjMwMDM1WhcNMjIxMTA5MjMxMDM1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeUE6Ox/414K0dBx3c3W+tQ7NTSlIVV24YSbBl6VyuIV/i15KClSjUo2qQuKSU4EzmHf2+EMj/YHYHeBADkDxj6OCAUUwggFBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU/VGCUHVX5bXhet21itbj5WvhZqAwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERYnJpYW5AZGVoYW1lci5jb20wLAYKKwYBBAGDvzABAQQeaHR0cHM6Ly9naXRodWIuY29tL2xvZ2luL29hdXRoMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGEXp+1XQAABAMARzBFAiEAkdI694/8B2rOdiyYPlEncfRwkubodOZ4jlm4g5285LkCIHRpmGh4p5Oc+Vk+AKHMdt0VtD2/+caHWye1VqD4rGcCMAoGCCqGSM49BAMDA2cAMGQCMAyK8tQ5mPCCiLjiIsVsIZPYvhvDR3DFli5AQzjSCzcES/h5fB3GpeDdBOu9tukaowIwNkoEYZHOtkacLerL52eYSpVjfXsA0gBMqAnmLGwXtzkVKqqzUmbZhCv8m85bfuIR"
+				},
+				{
+					"rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="
+				},
+				{
+					"rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"
+				}
+			]
+		}
+	},
+	"dsseEnvelope": {
+		"payload": "ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YwLjEiLAogICJzdWJqZWN0IjogWwogICAgewogICAgICAibmFtZSI6ICJzbHNhLXByb3ZlbmFuY2UtMC4wLjcudGd6IiwKICAgICAgImRpZ2VzdCI6IHsKICAgICAgICAic2hhNTEyIjogImJiZmQzNzJmYzliZWViNzc3ZmUzNWQwNWJiMTBjMGM3MGE5NzMzZDM2NmE3NWZlZDdkZDE4ODY2YzczOTFkZTNlZTdlODhiYTc0ZGQ0N2FiZjNlMTVjODQ1ZTU0N2ZjZjBlNWMzZGE4MDg1NGM3NTE1NTQyMjRkM2E2ZDRlNTVmIgogICAgICB9CiAgICB9CiAgXSwKICAicHJlZGljYXRlVHlwZSI6ICJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsCiAgInByZWRpY2F0ZSI6IHsKICAgICJidWlsZFR5cGUiOiAiaHR0cHM6Ly9naXRodWIuY29tL25wbS9zbHNhLXByb3ZlbmFuY2UvZ2hhQHYwIiwKICAgICJidWlsZGVyIjogewogICAgICAiaWQiOiAiaHR0cHM6Ly9naXRodWIuY29tL25wbS9zbHNhLXByb3ZlbmFuY2VAMC4wLjEiCiAgICB9LAogICAgImludm9jYXRpb24iOiB7CiAgICAgICJjb25maWdTb3VyY2UiOiB7CiAgICAgICAgInVyaSI6ICJnaXQraHR0cHM6Ly9naXRodWIuY29tL2dpdGh1Yi9zbHNhLXByb3ZlbmFuY2VAcmVmcy9oZWFkcy9kZW1vIiwKICAgICAgICAiZGlnZXN0IjogewogICAgICAgICAgInNoYTEiOiAiMjljZmYzZGQ2NWY3ODBjMzYwMWJkNDU3YWNiNmZlNGU1OTMxYzgyNSIKICAgICAgICB9LAogICAgICAgICJlbnRyeVBvaW50IjogImRlbW8iCiAgICAgIH0sCiAgICAgICJwYXJhbWV0ZXJzIjoge30sCiAgICAgICJlbnZpcm9ubWVudCI6IHsKICAgICAgICAiR0lUSFVCX0VWRU5UX05BTUUiOiAicHVzaCIsCiAgICAgICAgIkdJVEhVQl9KT0IiOiAicnVuLXByb3ZlbmFuY2UtZGVtbyIsCiAgICAgICAgIkdJVEhVQl9SRUYiOiAicmVmcy9oZWFkcy9kZW1vIiwKICAgICAgICAiR0lUSFVCX1JFRl9UWVBFIjogImJyYW5jaCIsCiAgICAgICAgIkdJVEhVQl9SRVBPU0lUT1JZIjogImdpdGh1Yi9zbHNhLXByb3ZlbmFuY2UiLAogICAgICAgICJHSVRIVUJfUkVQT1NJVE9SWV9PV05FUiI6ICJnaXRodWIiLAogICAgICAgICJHSVRIVUJfUlVOX0FUVEVNUFQiOiAiNCIsCiAgICAgICAgIkdJVEhVQl9SVU5fSUQiOiAiMzAyNDA5MTU0NiIsCiAgICAgICAgIkdJVEhVQl9SVU5fTlVNQkVSIjogIjE3IiwKICAgICAgICAiR0lUSFVCX1NIQSI6ICIyOWNmZjNkZDY1Zjc4MGMzNjAxYmQ0NTdhY2I2ZmU0ZTU5MzFjODI1IiwKICAgICAgICAiR0lUSFVCX1dPUktGTE9XIjogImRlbW8iLAogICAgICAgICJJTUFHRV9PUyI6ICJ1YnVudHUyMCIsCiAgICAgICAgIklNQUdFX1ZFUlNJT04iOiAiMjAyMjA5MDUuMSIsCiAgICAgICAgIlJVTk5FUl9BUkNIIjogIlg2NCIsCiAgICAgICAgIlJVTk5FUl9OQU1FIjogIkdpdEh1YiBBY3Rpb25zIDUwIiwKICAgICAgICAiUlVOTkVSX09TIjogIkxpbnV4IgogICAgICB9CiAgICB9LAogICAgIm1ldGFkYXRhIjogewogICAgICAiYnVpbGRJbnZvY2F0aW9uSWQiOiAiMzAyNDA5MTU0Ni00IiwKICAgICAgImNvbXBsZXRlbmVzcyI6IHsKICAgICAgICAicGFyYW1ldGVycyI6IGZhbHNlLAogICAgICAgICJlbnZpcm9ubWVudCI6IGZhbHNlLAogICAgICAgICJtYXRlcmlhbHMiOiBmYWxzZQogICAgICB9LAogICAgICAicmVwcm9kdWNpYmxlIjogZmFsc2UKICAgIH0sCiAgICAibWF0ZXJpYWxzIjogWwogICAgICB7CiAgICAgICAgInVyaSI6ICJnaXQraHR0cHM6Ly9naXRodWIuY29tL2dpdGh1Yi9zbHNhLXByb3ZlbmFuY2UiLAogICAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgICAic2hhMSI6ICIyOWNmZjNkZDY1Zjc4MGMzNjAxYmQ0NTdhY2I2ZmU0ZTU5MzFjODI1IgogICAgICAgIH0KICAgICAgfQogICAgXQogIH0KfQo=",
+		"payloadType": "application/vnd.in-toto+json",
+		"signatures": [
+			{
+				"sig": "MEUCIFc/ByLhCkR2YtAMbmJp202ZmZ4XVGXFKi7r+q7lsNDPAiEA/JwX2PilCLvkqE9NJMFKNn2C2j8cH/zyFhQ65wri2HY=",
+				"keyid": ""
+			},
+			{
+				"sig": "MEUCIFc/ByLhCkR2YtAMbmJp202ZmZ4XVGXFKi7r+q7lsNDPAiEA/JwX2PilCLvkqE9NJMFKNn2C2j8cH/zyFhAAAAAAAHY=",
+				"keyid": ""
+			}
+		]
+	}
+}