Final demo setup

Signed-off-by: Marcela Melara <marcela.melara@intel.com>

go.mod

@@ -1,6 +1,8 @@
 module github.com/in-toto/scai-demos
 
-go 1.20
+go 1.21
+
+toolchain go1.21.5
 
 require (
 	github.com/google/cel-go v0.18.2

kccncna2023-demo/README.md

@@ -25,6 +25,17 @@ the build
 These two attestations are signed using cosign OIDC-based keyless signing,
 and uploaded to the public Rekor log.
 
+### Verified Policies
+
+This demo verifies the following policies using the generated attestations:
+
+* [in-toto Layout] checks that the expected attestations were generated for each step
+of the demo workflow.
+* [SCAI policy] checks the attested attributes against the evidence indicated in the
+SCAI Attribute Report.
+
+This verification flow is implemented in the [verification-flow.sh] script.
+
 ### Additional Tools
 
 This demo makes use of the following additional tools:
@@ -37,9 +48,12 @@ This demo makes use of the following additional tools:
 [Anchore SBOM generator]: https://github.com/anchore/sbom-action
 [attestation-verifier]: https://github.com/in-toto/attestation-verifier
 [demo workflow]: https://github.com/marcelamelara/private-data-objects/blob/intoto-kccncna2023-demo/.github/workflows/intoto-kccncna2023-demo.yml
+[in-toto Layout]: ./policies/layout.yml
 [in-toto Maintainer Track talk]: https://kccncna2023.sched.com/event/1R2mx
 [SLSA generic Provenance generator]: https://github.com/slsa-framework/slsa-github-generator
-[SLSA Provenance]: https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md
-[SCAI Attribute Report]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md
+[SLSA Provenance]: https://github.com/in-toto/attestation/blob/v1.0.1/spec/predicates/provenance.md
+[SCAI Attribute Report]: https://github.com/in-toto/attestation/v1.0.1/main/spec/predicates/scai.md
+[SCAI policy]: ./policies/has-slsa.yml
 [scai-gen GitHub Actions]: https://github.com/in-toto/scai-demos/tree/main/.github/actions
 [strace]: https://strace.io/
+[verification-flow.sh]: ./verification-flow.sh

kccncna2023-demo/attestations/evidence-collection.1f575092.json

@@ -0,0 +1 @@
+{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGRvX2NsaWVudF93YXdha2EiLCJkaWdlc3QiOnsic2hhMjU2IjoiOWZiN2VmNTUyMjk4ZjhmYmFkODQ2MDRkMDYxMDBlNzYwYjdiOGM0Y2I0ZDZjNGI3Mjc4NjVmMWYyODVkMDZhYyJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2luLXRvdG8uaW8vYXR0ZXN0YXRpb24vc2NhaS9hdHRyaWJ1dGUtcmVwb3J0L3YwLjIiLCJwcmVkaWNhdGUiOnsiYXR0cmlidXRlcyI6W3siYXR0cmlidXRlIjoiSGFzU0JPTSIsImV2aWRlbmNlIjp7ImRpZ2VzdCI6eyJzaGEyNTYiOiJkOTVjMjAyZTBlNDAyMTQ0ZDYzNjM4MGU5ODJlYWZmNTRiZTU1OWI1NTU5OGZkMTgwNzFlOTZkNmYzYTdlYjAzIn0sImRvd25sb2FkTG9jYXRpb24iOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdWl0ZXMvMTU0MTc3MjYxNDIvYXJ0aWZhY3RzLzg4MDQwMzM5NSIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3NwZHgranNvbiIsIm5hbWUiOiJwZG9fY2xpZW50X3dhd2FrYS5zcGR4Lmpzb24ifX0seyJhdHRyaWJ1dGUiOiJIYXNTTFNBIiwiZXZpZGVuY2UiOnsiZGlnZXN0Ijp7InNoYTI1NiI6Ijk0ZDE4NzE2ZWU0NDEyMTc1YzVkOWRhMWNlNTA5NDcxNTNlMDljNDc2MmY5MDQ0YWY2ZjJkNjgyOGIxMmZlNWIifSwiZG93bmxvYWRMb2NhdGlvbiI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL3N1aXRlcy8xNTQxNzcyNjE0Mi9hcnRpZmFjdHMvODgwNDAzMzkyL3Bkb19jbGllbnRfd2F3YWthLnNsc2EuaW50b3RvLmpzb25sIiwibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8rZHNzZSIsIm5hbWUiOiJidWlsZC40NTJlNjI4YS5qc29uIn19XX19","signatures":[{"keyid":"1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6","sig":"W5terKjmGajjJLl1mXNgPzIamE0omBDUkXzmrAVZMI51FTvv2a4ixCRAMSvT8qxcs/ZvqMXxMGQV5RR2x1aF1JkBLSP9nY7mQLcl7GYJ6E+KltLMgO3Bw9b4vXDp/JZ1y8Dby+rUEt0umehFJYj0Yl8/ndhWVK6QNMzrCDghK8TdZ8N1+HhyxewOYdP2i+yrM0Ll0Q0DiXO4r5SPGgGTY6BWe5Sjc2HNrt+J6fJcnXpvfCBlTAuG0pGNDbIS9jtimsh+AKAlpdcgJUPGpL3baTRW/1liyzVmtJtIrTl1kDDm/rzKmFi/OaMS6Vwm4RkaEkXaLPYpzz6pBaCHm8JxNJVjijtoTrNyuhEyHuvZW3o/p9/TmW9O6kyDc8Sybk5S8iWca0N3sLAfIsQw4968PHo4p7jf/bWWPFhSag2nIz4fKdiLXSzaDvxKtuuMfa6BG15j45Nwqq6qcKf2ZssYP4sjyuzYcJe912HFPPo8ZasQmFBcuBMhpu7NHU6yP/19"}]}