Skip to main content

Attestation

An attestation is a signed, verifiable statement about a software artifact that lets consumers confirm its origin and integrity.

An attestation is a signed statement about a software artifact that anyone can verify. It binds a claim — for example, "this SBOM describes this exact document" or "this artifact was built by this pipeline" — to the artifact's cryptographic digest, and signs the whole thing so tampering is detectable.

How It Works

A common shape is an in-toto Statement: it names a subject (the artifact, identified by its digest), a predicate type (what kind of claim this is, such as an SBOM or build provenance), and a predicate (the claim itself). The statement is wrapped in a signing envelope — DSSE is the usual choice — and signed, either with a key held in a secrets manager or keylessly with a short-lived certificate logged to a public transparency log.

To verify, a consumer checks the signature against the expected signer, then confirms the artifact's digest matches the subject the attestation commits to. If either check fails, the attestation is rejected. Tools such as cosign produce and verify attestations, and the result is a plain trust decision: verified, or not.

Why It Matters

An unsigned document proves nothing about who produced it. An attestation lets a downstream team — an auditor, a customer, a regulator — confirm that an SBOM or an artifact genuinely came from its stated source and has not been altered in transit. That is the difference between "here is a file" and "here is a file you can trust."

Attestations are a building block of software supply-chain security and underpin frameworks like SLSA, which grade how much provenance an artifact carries.

Related Terms

Attestations record provenance about an artifact, are frequently used to sign SBOMs, are wrapped in a DSSE envelope, and are central to supply-chain security and SLSA.