Add BCR provenance verifier to slsa-verifier

The builderid's accepted by verify-bcr-module are listed below

release-workflow: https://github.com/bazel-contrib/.github/.github/workflows/release_ruleset.yaml
publish-workflow: https://github.com/bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

cli/slsa-verifier/main.go

@@ -35,6 +35,7 @@ For more information on SLSA, visit https://slsa.dev`,
 	}
 	c.AddCommand(version.Version())
 	c.AddCommand(verifyArtifactCmd())
+	c.AddCommand(verifyBcrModuleCmd())
 	c.AddCommand(verifyImageCmd())
 	c.AddCommand(verifyNpmPackageCmd())
 	c.AddCommand(verifyVSACmd())

cli/slsa-verifier/main_regression_test.go

@@ -1510,6 +1510,73 @@ func Test_runVerifyGHAContainerBased(t *testing.T) {
 	}
 }
 
+func Test_runVerifyBcrModule(t *testing.T) {
+	t.Parallel()
+	os.Setenv("SLSA_VERIFIER_EXPERIMENTAL", "1")
+
+	bcrReleaserBuilderID := "https://github.com/bazel-contrib/.github/.github/workflows/release_ruleset.yaml"
+	bcrPublisherBuilderID := "https://github.com/bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml"
+
+	tests := []struct {
+		name      string
+		artifact  string
+		source    string
+		builderID string
+		err       error
+	}{
+		{
+			name:      "module.bazel using publishing builder",
+			artifact:  "MODULE.bazel",
+			source:    "github.com/aspect-build/rules_lint",
+			builderID: bcrPublisherBuilderID,
+		},
+		{
+			name:      "source archive using release builder",
+			artifact:  "rules_lint-v1.3.1.tar.gz",
+			source:    "github.com/aspect-build/rules_lint",
+			builderID: bcrReleaserBuilderID,
+		},
+		{
+			name:     "module.bazel no builder id",
+			artifact: "MODULE.bazel",
+			source:   "github.com/aspect-build/rules_lint",
+			err:      serrors.ErrorUntrustedReusableWorkflow,
+		},
+		{
+			name:     "source archive no builder id",
+			artifact: "rules_lint-v1.3.1.tar.gz",
+			source:   "github.com/aspect-build/rules_lint",
+			err:      serrors.ErrorUntrustedReusableWorkflow,
+		},
+		{
+			name:      "invalid bcr (but otherwise valid) artifact",
+			artifacts: []string{"binary-linux-amd64-workflow_dispatch"},
+			source:    "github.com/slsa-framework/example-package",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			artifactPath := filepath.Clean(filepath.Join(TEST_DIR, "bcr", tt.artifact))
+			// TODO: this only handles the single attestation case in tests, so *.intoto.jsonl is essentially *.json
+			provenancePath := fmt.Sprintf("%s.intoto.jsonl", artifactPath)
+			cmd := verify.VerifyBcrModuleCommand{
+				ProvenancePath: provenancePath,
+				BuilderID:      &tt.builderID,
+				SourceURI:      tt.source,
+			}
+
+			_, err := cmd.Exec(context.Background(), artifactPath)
+			if diff := cmp.Diff(tt.err, err, cmpopts.EquateErrors()); diff != "" {
+				t.Fatalf("unexpected error (-want +got): \n%s", diff)
+			}
+		})
+	}
+
+}
+
 func Test_runVerifyNpmPackage(t *testing.T) {
 	// We cannot use t.Setenv due to parallelized tests.
 	os.Setenv("SLSA_VERIFIER_EXPERIMENTAL", "1")

cli/slsa-verifier/testdata/bcr/MODULE.bazel

@@ -0,0 +1,34 @@
+"Bazel dependencies"
+
+module(
+    name = "aspect_rules_lint",
+    version = "1.3.1",
+    compatibility_level = 1,
+)
+
+bazel_dep(name = "aspect_bazel_lib", version = "2.7.7")
+
+# Needed in the root because we use js_lib_helpers in our aspect impl
+# Minimum version needs 'chore: bump bazel-lib to 2.0 by @alexeagle in #1311'
+# to allow users on bazel-lib 2.0
+bazel_dep(name = "aspect_rules_js", version = "1.40.0")
+bazel_dep(name = "bazel_features", version = "1.0.0")
+bazel_dep(name = "bazel_skylib", version = "1.4.2")
+bazel_dep(name = "platforms", version = "0.0.7")
+bazel_dep(name = "rules_multirun", version = "0.9.0")
+bazel_dep(name = "rules_multitool", version = "0.4.0")
+bazel_dep(name = "rules_diff", version = "1.0.0")
+
+# Needed in the root because we dereference ProtoInfo in our aspect impl
+bazel_dep(name = "rules_proto", version = "6.0.0")
+
+# Needed in the root because we dereference the toolchain in our aspect impl
+bazel_dep(name = "rules_buf", version = "0.1.1")
+bazel_dep(name = "toolchains_protoc", version = "0.2.1")
+
+multitool = use_extension("@rules_multitool//multitool:extension.bzl", "multitool")
+multitool.hub(lockfile = "//format:multitool.lock.json")
+multitool.hub(lockfile = "//lint:multitool.lock.json")
+use_repo(multitool, "multitool")
+
+bazel_dep(name = "stardoc", version = "0.7.0", dev_dependency = True, repo_name = "io_bazel_stardoc")

cli/slsa-verifier/testdata/bcr/MODULE.bazel.intoto.jsonl

@@ -0,0 +1 @@
+{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"certificate":{"rawBytes":"MIIHFDCCBpmgAwIBAgIUUyStCF66Kb/Nhw8I17dmlcT6IP0wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwMzI2MjM0NzMwWhcNMjUwMzI2MjM1NzMwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2Eq93lDFDyO6q8eTZt1kHFGd5T9omt3Z5aaULOnLtphtWquurdZkRq2fPi1uUHQFKxmCHMjyK6Ww/SY6GtF7wqOCBbgwggW0MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUcDPLStIg8mvcrvstl5UVBQ/LZ2MwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wbQYDVR0RAQH/BGMwYYZfaHR0cHM6Ly9naXRodWIuY29tL2JhemVsLWNvbnRyaWIvcHVibGlzaC10by1iY3IvLmdpdGh1Yi93b3JrZmxvd3MvcHVibGlzaC55YW1sQHJlZnMvdGFncy92MC4wLjEwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAfBgorBgEEAYO/MAECBBF3b3JrZmxvd19kaXNwYXRjaDA2BgorBgEEAYO/MAEDBCg4ZjcwMDA5ZmRlMGM5NGFkZTZjZTJhMDU0Yjk0NzE4YzgxOTEyNmVjMBUGCisGAQQBg78wAQQEB1JlbGVhc2UwJQYKKwYBBAGDvzABBQQXYXNwZWN0LWJ1aWxkL3J1bGVzX2xpbnQwJwYKKwYBBAGDvzABBgQZcmVmcy9oZWFkcy9wdWJsaXNoLXRvLWJjcjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wbwYKKwYBBAGDvzABCQRhDF9odHRwczovL2dpdGh1Yi5jb20vYmF6ZWwtY29udHJpYi9wdWJsaXNoLXRvLWJjci8uZ2l0aHViL3dvcmtmbG93cy9wdWJsaXNoLnlhbWxAcmVmcy90YWdzL3YwLjAuMTA4BgorBgEEAYO/MAEKBCoMKDY1ZDRmMGMwMDM1N2Q1MGJhMTkxNjU5OTNmNjczZTU2YTdkZGI1MDAwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMDoGCisGAQQBg78wAQwELAwqaHR0cHM6Ly9naXRodWIuY29tL2FzcGVjdC1idWlsZC9ydWxlc19saW50MDgGCisGAQQBg78wAQ0EKgwoOGY3MDAwOWZkZTBjOTRhZGU2Y2UyYTA1NGI5NDcxOGM4MTkxMjZlYzApBgorBgEEAYO/MAEOBBsMGXJlZnMvaGVhZHMvcHVibGlzaC10by1iY3IwGQYKKwYBBAGDvzABDwQLDAk2MzE3MTA3NDEwLwYKKwYBBAGDvzABEAQhDB9odHRwczovL2dpdGh1Yi5jb20vYXNwZWN0LWJ1aWxkMBgGCisGAQQBg78wAREECgwINjA5NTEwOTAwcgYKKwYBBAGDvzABEgRkDGJodHRwczovL2dpdGh1Yi5jb20vYXNwZWN0LWJ1aWxkL3J1bGVzX2xpbnQvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9wdWJsaXNoLXRvLWJjcjA4BgorBgEEAYO/MAETBCoMKDhmNzAwMDlmZGUwYzk0YWRlNmNlMmEwNTRiOTQ3MThjODE5MTI2ZWMwIQYKKwYBBAGDvzABFAQTDBF3b3JrZmxvd19kaXNwYXRjaDBeBgorBgEEAYO/MAEVBFAMTmh0dHBzOi8vZ2l0aHViLmNvbS9hc3BlY3QtYnVpbGQvcnVsZXNfbGludC9hY3Rpb25zL3J1bnMvMTQwOTU2MTE2NzEvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABldTamM0AAAQDAEgwRgIhAMmkLwqrv1HphKDtrBM63xlx2S0g3T06H5HsZL5FjQG/AiEAx2yrzG+UPArEI/EO7Ay/UIBfn56nl07W+kmAseg6LMQwCgYIKoZIzj0EAwMDaQAwZgIxAKDTR7L3Quwz5K1HmHXAxGklGfyZaLdfUaI5rHHFhbrZZHLCzpVjeC6KaRIeHTR4NQIxAJk/uHpowWdl+Ei0Jro0uxLR1rf72FDIIHk0A9lu7kPfJPsBmoTdANce4mfjnGcmBw=="},"tlogEntries":[{"logIndex":"188622862","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"dsse","version":"0.0.1"},"integratedTime":"1743032850","inclusionPromise":{"signedEntryTimestamp":"MEQCIG5pvjFLYtSSc7neN3TfCECH4RgUjkf+sem2ajuq/reTAiB0wDkHcCzoDZNODhDy6+k0EH+zWbzHp2vB3G5nXeyKeA=="},"inclusionProof":{"logIndex":"66718600","rootHash":"b9PqWdvjFibQVr/AxhtI5QtxZRDsyawcQjhN/t/l2hs=","treeSize":"66718601","hashes":["wGcjsxsAYESzo5vOIU14CxMiL2cd91r+eoio53oMdpY=","cDsa//3Z5Wg7ibMvYYijBUjIb4kh2JuSvClyo7d4B9I=","GC1o5iB11hmp92GKdheSzoEaN5v6OQH/FBtHaz7keJo=","8cWOY+AsGmriN81KEKn608YYn75tA7kV9nPVR8/L2x8=","8ldzbxC5XC9gm6NslFNrfQXinaJviZsY3+LUe76wgpA=","IzBPQpDU8rvSddymezdsTQ6HQ8NuqI3PL6Qb0yYTabo=","Dksb3YgOStjD2JYasnlv7dEGlOA33vmJbUvIzfIIuSg=","zB6iyXMAZ2zNKTJ99paBqa8yfr1/iH252gfSMgX7IGU=","tx5iiWjECLK/XOMe3O6Ypt23w/tgsiFBKH7BgAbqQ64=","V5yK+DEZNmo/DOSKeBtbSMqCabXFwYk8wUVOY2xbE5M=","Ti0aqM4Q394q4eJd4fPIPwQx83W504b3jxFdwVdDaUw=","ebCKJ53lKWPqIx8mXXgznF9DGoQv70J7JTlFAav6s5E=","vemyaMj0Na1LMjbB/9Dmkq8T+jAb3o+yCESgAayUABU="],"checkpoint":{"envelope":"rekor.sigstore.dev - 1193050959916656506\n66718601\nb9PqWdvjFibQVr/AxhtI5QtxZRDsyawcQjhN/t/l2hs=\n\n— rekor.sigstore.dev wNI9ajBFAiBNeIdAePmRlp/udSPIsRCTumTg0cVKcMdB0YolSTtI8QIhAPXuuQ/pVPGOvjnRe7yV52fABpZJVww4E/x6ZXHTuQ91\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZW52ZWxvcGVIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiNWM3NTkyMWEyNzE2M2FmZmEzYzYyYzYzZDEwNWJmOWM3OGZjMTBlNWFmMWZhNGI5OTE0MjA3MTM4ZGQ3MWY0ZiJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjlmNzI4NzkxNzdkNDUxYzg3ZDYzOTM5MTI2Y2IyMjA4MDM3OTE0NDk5NmY3NzU2NmM4OTk1NDZjM2Q5MTU1ZGEifSwic2lnbmF0dXJlcyI6W3sic2lnbmF0dXJlIjoiTUVVQ0lIYVMvRHM4YWhVcU1mWVFTbUgxZ3Bad3d2NTRUQi9IV2p1UGNsTUt3TWxwQWlFQWpHcUQxOW1ZaW9kWUllTUVpaDI4bHY2ZUpNdHUxaXdUY0Zldmg2UWMzeUk9IiwidmVyaWZpZXIiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VoR1JFTkRRbkJ0WjBGM1NVSkJaMGxWVlhsVGRFTkdOalpMWWk5T2FIYzRTVEUzWkcxc1kxUTJTVkF3ZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwVmQwMTZTVEpOYWswd1RucE5kMWRvWTA1TmFsVjNUWHBKTWsxcVRURk9lazEzVjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVXlSWEU1TTJ4RVJrUjVUelp4T0dWVVduUXhhMGhHUjJRMVZEbHZiWFF6V2pWaFlWVUtURTl1VEhSd2FIUlhjWFYxY21SYWExSnhNbVpRYVRGMVZVaFJSa3Q0YlVOSVRXcDVTelpYZHk5VFdUWkhkRVkzZDNGUFEwSmlaM2RuWjFjd1RVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVmpSRkJNQ2xOMFNXYzRiWFpqY25aemRHdzFWVlpDVVM5TVdqSk5kMGgzV1VSV1VqQnFRa0puZDBadlFWVXpPVkJ3ZWpGWmEwVmFZalZ4VG1wd1MwWlhhWGhwTkZrS1drUTRkMkpSV1VSV1VqQlNRVkZJTDBKSFRYZFpXVnBtWVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBUREpLYUdWdFZuTk1WMDUyWW01U2VRcGhWMGwyWTBoV2FXSkhiSHBoUXpFd1lua3hhVmt6U1haTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqU0ZacFlrZHNlbUZETlRWWlZ6RnpDbEZJU214YWJrMTJaRWRHYm1ONU9USk5RelIzVEdwRmQwOVJXVXRMZDFsQ1FrRkhSSFo2UVVKQlVWRnlZVWhTTUdOSVRUWk1lVGt3WWpKMGJHSnBOV2dLV1ROU2NHSXlOWHBNYldSd1pFZG9NVmx1Vm5wYVdFcHFZakkxTUZwWE5UQk1iVTUyWWxSQlprSm5iM0pDWjBWRlFWbFBMMDFCUlVOQ1FrWXpZak5LY2dwYWJYaDJaREU1YTJGWVRuZFpXRkpxWVVSQk1rSm5iM0pDWjBWRlFWbFBMMDFCUlVSQ1EyYzBXbXBqZDAxRVFUVmFiVkpzVFVkTk5VNUhSbXRhVkZwcUNscFVTbWhOUkZVd1dXcHJNRTU2UlRSWmVtZDRUMVJGZVU1dFZtcE5RbFZIUTJselIwRlJVVUpuTnpoM1FWRlJSVUl4U214aVIxWm9ZekpWZDBwUldVc0tTM2RaUWtKQlIwUjJla0ZDUWxGUldGbFlUbmRhVjA0d1RGZEtNV0ZYZUd0TU0wb3hZa2RXZWxneWVIQmlibEYzU25kWlMwdDNXVUpDUVVkRWRucEJRZ3BDWjFGYVkyMVdiV041T1c5YVYwWnJZM2s1ZDJSWFNuTmhXRTV2VEZoU2RreFhTbXBqYWtFM1FtZHZja0puUlVWQldVOHZUVUZGU1VKRE1FMUxNbWd3Q21SSVFucFBhVGgyWkVjNWNscFhOSFZaVjA0d1lWYzVkV041Tlc1aFdGSnZaRmRLTVdNeVZubFpNamwxWkVkV2RXUkROV3BpTWpCM1luZFpTMHQzV1VJS1FrRkhSSFo2UVVKRFVWSm9SRVk1YjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbGx0UmpaYVYzZDBXVEk1ZFdSSVNuQlphVGwzWkZkS2N3cGhXRTV2VEZoU2RreFhTbXBqYVRoMVdqSnNNR0ZJVm1sTU0yUjJZMjEwYldKSE9UTmplVGwzWkZkS2MyRllUbTlNYm14b1lsZDRRV050Vm0xamVUa3dDbGxYWkhwTU0xbDNUR3BCZFUxVVFUUkNaMjl5UW1kRlJVRlpUeTlOUVVWTFFrTnZUVXRFV1RGYVJGSnRUVWROZDAxRVRURk9NbEV4VFVkS2FFMVVhM2dLVG1wVk5VOVVUbTFPYW1ONldsUlZNbGxVWkd0YVIwa3hUVVJCZDBoUldVdExkMWxDUWtGSFJIWjZRVUpEZDFGUVJFRXhibUZZVW05a1YwbDBZVWM1ZWdwa1IxWnJUVVJ2UjBOcGMwZEJVVkZDWnpjNGQwRlJkMFZNUVhkeFlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKR2VtTkhWbXBrUXpGcENtUlhiSE5hUXpsNVpGZDRiR014T1hOaFZ6VXdUVVJuUjBOcGMwZEJVVkZDWnpjNGQwRlJNRVZMWjNkdlQwZFpNMDFFUVhkUFYxcHJXbFJDYWs5VVVtZ0tXa2RWTWxreVZYbFpWRUV4VGtkSk5VNUVZM2hQUjAwMFRWUnJlRTFxV214WmVrRndRbWR2Y2tKblJVVkJXVTh2VFVGRlQwSkNjMDFIV0Vwc1dtNU5kZ3BoUjFab1draE5kbU5JVm1saVIyeDZZVU14TUdKNU1XbFpNMGwzUjFGWlMwdDNXVUpDUVVkRWRucEJRa1IzVVV4RVFXc3lUWHBGTTAxVVFUTk9SRVYzQ2t4M1dVdExkMWxDUWtGSFJIWjZRVUpGUVZGb1JFSTViMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RsbFlUbmRhVjA0d1RGZEtNV0ZYZUdzS1RVSm5SME5wYzBkQlVWRkNaemM0ZDBGU1JVVkRaM2RKVG1wQk5VNVVSWGRQVkVGM1kyZFpTMHQzV1VKQ1FVZEVkbnBCUWtWblVtdEVSMHB2WkVoU2R3cGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbGxZVG5kYVYwNHdURmRLTVdGWGVHdE1NMG94WWtkV2VsZ3llSEJpYmxGMlRHMWtjR1JIYURGWmFUa3pDbUl6U25KYWJYaDJaRE5OZG1OdFZuTmFWMFo2V2xNMU5XSlhlRUZqYlZadFkzazViMXBYUm10amVUbDNaRmRLYzJGWVRtOU1XRkoyVEZkS2FtTnFRVFFLUW1kdmNrSm5SVVZCV1U4dlRVRkZWRUpEYjAxTFJHaHRUbnBCZDAxRWJHMWFSMVYzV1hwck1GbFhVbXhPYlU1c1RXMUZkMDVVVW1sUFZGRXpUVlJvYWdwUFJFVTFUVlJKTWxwWFRYZEpVVmxMUzNkWlFrSkJSMFIyZWtGQ1JrRlJWRVJDUmpOaU0wcHlXbTE0ZG1ReE9XdGhXRTUzV1ZoU2FtRkVRbVZDWjI5eUNrSm5SVVZCV1U4dlRVRkZWa0pHUVUxVWJXZ3daRWhDZWs5cE9IWmFNbXd3WVVoV2FVeHRUblppVXpsb1l6TkNiRmt6VVhSWmJsWndZa2RSZG1OdVZuTUtXbGhPWm1KSGJIVmtRemxvV1ROU2NHSXlOWHBNTTBveFltNU5kazFVVVhkUFZGVXlUVlJGTWs1NlJYWlpXRkl3V2xjeGQyUklUWFpOVkVGWFFtZHZjZ3BDWjBWRlFWbFBMMDFCUlZkQ1FXZE5RbTVDTVZsdGVIQlpla05DYVhkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpsQ1NITkJaVkZDTTBGT01EbE5SM0pIQ25oNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnNaRlJoYlUwd1FVRkJVVVJCUldkM1VtZEphRUZOYldzS1RIZHhjbll4U0hCb1MwUjBja0pOTmpONGJIZ3lVekJuTTFRd05rZzFTSE5hVERWR2FsRkhMMEZwUlVGNE1ubHlla2NyVlZCQmNrVkpMMFZQTjBGNUx3cFZTVUptYmpVMmJtd3dOMWNyYTIxQmMyVm5Oa3hOVVhkRFoxbEpTMjlhU1hwcU1FVkJkMDFFWVZGQmQxcG5TWGhCUzBSVVVqZE1NMUYxZDNvMVN6RklDbTFJV0VGNFIydHNSMlo1V21GTVpHWlZZVWsxY2toSVJtaGljbHBhU0V4RGVuQldhbVZETmt0aFVrbGxTRlJTTkU1UlNYaEJTbXN2ZFVod2IzZFhaR3dLSzBWcE1FcHliekIxZUV4U01YSm1OekpHUkVsSlNHc3dRVGxzZFRkclVHWktVSE5DYlc5VVpFRk9ZMlUwYldacWJrZGpiVUozUFQwS0xTMHRMUzFGVGtRZ1EwVlNWRWxHU1VOQlZFVXRMUzB0TFFvPSJ9XX19"}],"timestampVerificationData":{}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiTU9EVUxFLmJhemVsIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjA2Y2UzMzA5MDBhN2Q2NDAzYmM4ZDg4ZTVkZmFkNmFlZWI4YWU0MDE3OWY2NmJiODllNjljOGJmNmY2YjFhMGIifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL2FjdGlvbnMuZ2l0aHViLmlvL2J1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9wdWJsaXNoLXRvLWJjciIsInJlcG9zaXRvcnkiOiJodHRwczovL2dpdGh1Yi5jb20vYXNwZWN0LWJ1aWxkL3J1bGVzX2xpbnQiLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWwifX0sImludGVybmFsUGFyYW1ldGVycyI6eyJnaXRodWIiOnsiZXZlbnRfbmFtZSI6IndvcmtmbG93X2Rpc3BhdGNoIiwicmVwb3NpdG9yeV9pZCI6IjYzMTcxMDc0MSIsInJlcG9zaXRvcnlfb3duZXJfaWQiOiI2MDk1MTA5MCIsInJ1bm5lcl9lbnZpcm9ubWVudCI6ImdpdGh1Yi1ob3N0ZWQifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2FzcGVjdC1idWlsZC9ydWxlc19saW50QHJlZnMvaGVhZHMvcHVibGlzaC10by1iY3IiLCJkaWdlc3QiOnsiZ2l0Q29tbWl0IjoiOGY3MDAwOWZkZTBjOTRhZGU2Y2UyYTA1NGI5NDcxOGM4MTkxMjZlYyJ9fV19LCJydW5EZXRhaWxzIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vYmF6ZWwtY29udHJpYi9wdWJsaXNoLXRvLWJjci8uZ2l0aHViL3dvcmtmbG93cy9wdWJsaXNoLnlhbWxAcmVmcy90YWdzL3YwLjAuMSJ9LCJtZXRhZGF0YSI6eyJpbnZvY2F0aW9uSWQiOiJodHRwczovL2dpdGh1Yi5jb20vYXNwZWN0LWJ1aWxkL3J1bGVzX2xpbnQvYWN0aW9ucy9ydW5zLzE0MDk1NjExNjcxL2F0dGVtcHRzLzEifX19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIHaS/Ds8ahUqMfYQSmH1gpZwwv54TB/HWjuPclMKwMlpAiEAjGqD19mYiodYIeMEih28lv6eJMtu1iwTcFevh6Qc3yI="}]}}