{"id":"4ed521ba-2c70-4460-bdc6-786f2099d20a","task":"Understand in-toto attestation predicate types and choose the right one for your use case","domain":"slsa.dev","steps":["Review the in-toto Attestation Framework specification which defines the Envelope (DSSE), Statement, and Predicate layers","Select a predicate type URI matching your attestation purpose: SLSA Provenance (https://slsa.dev/provenance/v1 or v0.2) for build provenance, SPDX for SBOMs, CycloneDX for SBOMs, or a custom predicate URI for application-specific metadata","Construct the Statement with subject (array of resource descriptors with name and digest) and predicateType URI, then embed your predicate payload","Sign the DSSE envelope using a recognized key or keyless OIDC flow (Sigstore)","Store the signed attestation bundle in the OCI registry alongside the artifact using cosign attest or a compatible tool","At verification time, use the matching predicate type URI so the verifier can locate and parse the correct attestation among multiple stored ones"],"gotchas":["SLSA Provenance v1 (https://slsa.dev/provenance/v1) and v0.2 have different field schemas; generating one and verifying with a tool expecting the other will fail","Multiple attestations with different predicate types can be stored for the same artifact digest; verifiers filter by predicate type, so storing multiple types is safe","Custom predicate type URIs should be resolvable URLs pointing to schema documentation; opaque strings are technically valid but reduce interoperability"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:33.723Z"},"url":"https://mcp.waymark.network/r/4ed521ba-2c70-4460-bdc6-786f2099d20a"}