The payload, which is the middle layer of the evidence file, is based on the in-toto attestation framework, as shown below. The payload contains the evidence predicate, which includes the actual contents of the evidence. The payload is wrapped inside the Evidence Envelope.
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
// Resource Descriptor
}
],
"predicateType": "{URL-Type}",
"predicate": {
// Predicate
},
"createdAt": "2222-01-01T00:00:00.000Z",
"createdBy": "{username}"
}
The payload is comprised of the following elements:
Property | Description |
|---|---|
| The _type for JFrog evidence is always |
| Describes the entity associated with the evidence, as defined by its resource descriptor. Each evidence file must be associated with a single subject. For more information, see Evidence Resource Descriptor. |
| Contains the URL type associated with the predicate. The predicate type identifies the meaning of the predicate. Each predicate type is associated with a category to facilitate searching and filtering. Internal predicate types created within Artifactory include:
Examples of external predicate types include:
|
| Contains the actual body of the evidence file, which is comprised of arbitrary claims about the evidence subject. For more information, see Evidence Predicate. |
| The timestamp when the evidence was created (not when it was deployed to Artifactory). NoteThis is a JFrog extension to the standard defined by the in-toto framework. |
| The user who created the evidence. NoteThis is a JFrog extension to the standard defined by the in-toto framework. |
Evidence Resource Descriptor
The resource descriptor, which is a mandatory element of the evidence payload, consists of a checksum that represents the evidence subject.
{
"digest": {
"sha256": "ec87961dbf..."
}
}
The resource descriptor contains a single element:
Property | Description |
|---|---|
| The checksum of the evidence subject. |