From bdeea0034efc4e196e78b95504a6454f121b1e37 Mon Sep 17 00:00:00 2001
From: Hayden Blauzvern <hblauzvern@google.com>
Date: Thu, 29 Feb 2024 22:58:45 +0000
Subject: [PATCH] fix: Switch to newer DSSE rekor type

The intoto v001 type does not persist signatures of the DSSE envelope,
as noted in https://github.com/sigstore/rekor/pull/973. We introduced an
intoto v002 type shortly after to fix this, but since then, we've
introduced another newer type, DSSE v001, which also does not persist
the attestation in Rekor (as we discourage using Rekor as storage).

I also updated the verifier in https://github.com/slsa-framework/slsa-verifier/pull/742
to search for both Rekor entry types.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 signing/sigstore/rekor.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/signing/sigstore/rekor.go b/signing/sigstore/rekor.go
index fed2f8e4a7..0dd2bc2c69 100644
--- a/signing/sigstore/rekor.go
+++ b/signing/sigstore/rekor.go
@@ -80,7 +80,7 @@ func (r *Rekor) Upload(ctx context.Context, att signing.Attestation) (signing.Lo
 		return nil, fmt.Errorf("creating rekor client: %w", err)
 	}
 	// TODO: Is it a bug that we need []byte(string(k.Cert)) or else we hit invalid PEM?
-	logEntry, err := cosign.TLogUploadInTotoAttestation(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))
+	logEntry, err := cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert())))
 	if err != nil {
 		return nil, fmt.Errorf("uploading attestation: %w", err)
 	}