Polish the MVC end-to-end Attestation workflow

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

We are very close to working end-to-end MVC Attestation workflow 🎉 🎉

I my testing today I was able to:

1. Build a ruby gem in CI and upload it as a job artifact.
2. Generate the provenance and an attestation for the artifact.
3. Look up the attestation record by the digest of the artifact.
4. I was not able to download the attestations for verification from the API.
5. I was able to download attestation via the download route, but I had to look up the iid in the DB.
6. Verify the attestation using cosign.

I think the main thing missing at this point is a way to get to the attestation bundle from the API. To solve for this, a couple of options come to mind:

1. We could add the download path as an attribute in the API response.
2. We could include the full attestation bundle in the API response. Similar to other platforms.
3. We should also add the iid to the API response for completeness, but I don't think this should be our only reference to the attestation bundle file.

@sroque-worcel @ahuntsman What do you think about these options? Are there other ways we could solve for this?

/cc @ken.mcdonald

Notes

• I create https://gitlab.com/darbyfrey/slsa-workflow-demo to test the workflow
• In the https://gitlab.com/darbyfrey/slsa-workflow-demo/-/blob/main/.gitlab-ci.yml I added GENERATE_PROVENANCE and the SIGSTORE_ID_TOKEN to enable the backend workflow.
• Downloaded the demodemo.gem artifact from https://gitlab.com/darbyfrey/slsa-workflow-demo/-/jobs/11757606649/artifacts/file/demodemo.gem
• Got the digest by running shasum -a 256 demodemo.gem
• Found the attestation record at https://gitlab.com/api/v4/projects/75403203/attestations/d79093f842c3cf015c4767dd0013877211971df5662d951de19f3422f0db3008
  • Note: I had to look up the project id (75403203) and it didn't work for me to use the project path (darbyfrey%2Fslsa-workflow-demo)
• I could download the attestation from https://gitlab.com/darbyfrey/slsa-workflow-demo/-/attestations/1/download
• I was able to verify the attestation against the artifact using the following cosign command:

  ❯ cosign verify-blob demodemo.gem --bundle attestation-20251017-44-3tfny.bundle --certificate-identity="https://gitlab.com/darbyfrey/slsa-workflow-demo//.gitlab-ci.yml@refs/heads/main" --certificate-oidc-issuer="https://gitlab.com"
  
  setting TUF refresh period to 24h0m0s
  Verified OK