An attestation is a unit of data sent to Chainloop. Users and CI systems use the Chainloop CLI to initialize an attestation process, add pieces of evidence to them, and “push” them to Chainloop service (the evidence store).

In this step, we’ll use the CLI locally to craft an attestation referencing a container image and a Software Bill of materials (SBOM).

Authentication

First, you need to authenticate the CLI to Chainloop service. Currently we support two authentication methods during the attestation process, user authentication and API key authentication, for this step we’ll use the user authentication, which can be done by running the following command:

chainloop auth login

Initialize the Attestation process

In a nutshell, an attestation process has three steps: initialization, adding evidence, and storage. Refer to this section to learn more about the attestation lifecycle.

We’ll start by initializing an attestation. The attestation process requires the name of a workflow and a project to associate with it. Chainloop workflows represent any CI or process that you want to attest. Projects and project versions represent your software product lifecycle.

chainloop att init --workflow quickstart --project myproject

Add Pieces of Evidence (a.k.a materials)

Once the attestation process is initiated, we can attach as many pieces of evidence as we want. In this case, we are adding a reference to a container image. Many other material types are supported - check the supported list.

chainloop att add --value ghcr.io/chainloop-dev/chainloop/control-plane

We just attached a reference to a container image, note how the digest was automatically resolved and injected.

Next, let’s add a Software Bill Of Materials (SBOM) by pointing to its remote URL (using the local file path works too).

chainloop att add --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/sbom.json

In this other case, the file’s content will get uploaded to the Content Addressable Storage of your choice and referenced in the attestation also by its digest.

Sign and Store the Attestation

Finally, we sign and push the attestation to Chainloop for permanent preservation using.

chainloop att push

Inspect the Attestation

Congratulations! We’ve performed our first attestation, now we can head to the workflow runs section in the platform UI and inspect the attestation we just created.

The “Attestation” tab will provide the full attestation payload, consisting of an in-toto attestation with a Chainloop predicate. After a quick inspection, we can confirm that our pieces of evidence (the container image reference and the SBOM) are included in the attestation

Verifying your attestation

You can verify the integrity of the attestation by downloading the bundle (in Sigstore format) and running the verification command.

chainloop att verify -b bundle.json

Under the hood, the command is:

  • Checking the validity of the signing certificate included in the bundle, against the Chainloop trusted root
  • Checking the validity of the timestamp signature
  • Verifying the payload integrity (the in-toto attestation included in the bundle) and its signature.

Visit the signing reference for more information about signing and verification methods.