rfgen.attestation

rfgen.attestation is the closed, fail-closed boundary between rfgen’s in-toto statement contract and Sigstore DSSE signing or verification. It validates statement shape, canonical RFC 8785 JSON bytes, the exact subject and predicate policy, and the signer identity; it delegates cryptography and trust-root verification to the pinned sigstore==4.4.0 package.

This is a sealed service, not a plugin interface. Callers provide a configured Sigstore signer or verifier and a typed policy; they do not subclass or replace the adapter. It does not publish attestations, make a domain-policy decision, or authorize a release.

Pinning seam

SIGSTORE_VERSION

SIGSTORE_VERSION: Literal["4.4.0"] = "4.4.0" records the exact Sigstore API version used by the boundary. The adapter relies on this version’s public Signer.sign_dsse, Verifier.verify_dsse, and Identity APIs.

SIGSTORE_WHEEL_SHA256

SIGSTORE_WHEEL_SHA256 is the SHA-256 of the verified sigstore-4.4.0-py3-none-any.whl artifact: 80c36d08b02479e2a282d0bea93de68fe0d43a93b0d58e4d9ac6bb9f8425957c. Changing the pin requires revalidating this package seam and its real DSSE verification evidence.

SigstoreDSSEAdapter also reads Sigstore’s retained Statement._contents bytes. Sigstore 4.4.0 supplies no public accessor for the exact bytes passed to Signer.sign_dsse; this narrowly scoped private seam fails closed when the pinned implementation no longer provides bytes.

Policy and result models

AttestationPredicate

The closed StrEnum of accepted predicate URIs: RUN_MANIFEST_V1, PRICING_V1, BENCHMARK_BASELINE_V1, BUDGET_APPROVAL_V1, and RELEASE_MANIFEST_V1. A statement whose predicateType is not exactly the requested enum value is rejected.

AttestationPolicyV1

class AttestationPolicyV1(BaseModel):
    identity: str
    issuer: str
    predicate: AttestationPredicate
    subject_name: str
    subject_sha256: Sha256

An immutable, strict policy for one verification or signing request. It binds the Sigstore certificate identity and issuer, a predicate type, and exactly one subject name plus lowercase SHA-256 digest. The adapter constructs Sigstore’s identity policy directly from identity and issuer before it accepts a verified statement.

VerifiedStatementV1

class VerifiedStatementV1(BaseModel, Generic[PredicateT]):
    payload_type: Literal["application/vnd.in-toto+json"]
    statement_type: Literal["https://in-toto.io/Statement/v1"]
    predicate_type: AttestationPredicate
    subject_name: str
    subject_sha256: Sha256
    predicate: PredicateT
    bundle_sha256: Sha256

The immutable result of successful verification. Its predicate is the caller-supplied strict, frozen Pydantic predicate model and bundle_sha256 is the SHA-256 of the Sigstore bundle JSON bytes.

Failure contract

AttestationValidationCode

The machine-readable rejection enum. PAYLOAD_TYPE, UTF8, JSON, STATEMENT_TYPE, SUBJECT, PREDICATE_TYPE, PREDICATE_SCHEMA, and NONCANONICAL identify statement-boundary failures. IDENTITY identifies a Sigstore identity, issuer, or SAN policy failure; SIGNATURE identifies the remaining Sigstore verification failures.

AttestationValidationError

class AttestationValidationError(_RfgenAttestationValidationError):
    code: AttestationValidationCode

Raised for every closed attestation-boundary rejection. code is stable for programmatic handling; callers must treat any such error as a failed attestation rather than attempting a permissive fallback. The private base alias above is rfgen.errors.AttestationValidationError in the implementation.

Sealed adapter

SigstoreDSSEAdapter

class SigstoreDSSEAdapter:
    def __init__(self, *, signer: Signer, verifier: Verifier) -> None
    def sign(
        self,
        statement: dsse.Statement,
        *,
        expected: AttestationPolicyV1,
        predicate_model: type[PredicateT],
    ) -> Bundle
    def verify(
        self,
        bundle: Bundle,
        *,
        policy: AttestationPolicyV1,
        predicate_model: type[PredicateT],
    ) -> VerifiedStatementV1[PredicateT]

sign() first parses and checks the requested policy and predicate model, requires the statement bytes to be RFC 8785 canonical JSON, then delegates once to Signer.sign_dsse. verify() first delegates bundle verification with the exact Sigstore Identity(identity=..., issuer=...) policy. It then requires the in-toto payload type, UTF-8 JSON, Statement v1 type, one exact subject, the requested predicate URI, a strict frozen predicate model, and byte-for-byte canonical JSON before returning VerifiedStatementV1.

Type aliases

Sha256

Sha256 is an annotated string constrained to exactly 64 lowercase hexadecimal characters. It is used for subject and bundle digests.

PredicateT

PredicateT is the Pydantic-model type parameter used by SigstoreDSSEAdapter and VerifiedStatementV1. The supplied model must forbid unknown fields and be frozen; otherwise the adapter raises AttestationValidationError with PREDICATE_SCHEMA.

See Also

  • Execution Evidence: DSSE_ROUNDTRIP is the trust-root gate that records this boundary’s engineering evidence.

  • Build and CI: exact dependency pin and local validation policy.