Attestations¶

An attestation is a cryptographically signed collection of claims related to one or more software artifacts or events. Attestations can be cryptographically verified by any party with access to the public key that corresponds to the private key used to sign the attestation.

Cryptographic signatures applied to artifacts are a simple form of attestation. The signature is an implicit claim that agrees trust between two parties. Attestations build on this simple form and contain richer metadata about what's being attested.

An example of an attestation in the secure software supply chain ecosystem is attesting that a software release was built on a build runner that was backed by a VM in a specific Azure Subscription at a specific date/time.

Characteristics¶

Cryptographic Signature¶

Public-key cryptography is the foundation of ensuring integrity and non-tampering of the attestation. A securely held private key is leveraged to sign the attestation in a trusted environment. The corresponding public key from the key pair, is available in lower trust environments to cryptographically verify the attestation.

Claim¶

The attestation has a collection of claims that reference an artifact or event, and also provide additional metadata about the claim.

An example in the secure software supply chain includes attestation that references vulnerability results and includes metadata about the scanning tool and scanning event.

Examples¶

• The "Improve release artifact and workload integrity in Kubernetes via a secure software supply chain" solution discusses attestations and provides an implementation that shows signing of security artifacts for simplified attestation.

Learn More¶

• MS Learn - Real Life Attestation Examples
• SLSA - Software Attestations
• TestifySec - What is a Software Supply Chain Attestation - and why do I need it?
• in-toto - Attestation Predicates