Quickstart: SCITT Statements (Preview)

How to push a collection of Statements using SCITT APIs

The SCITT API is currently in preview and subject to change

The Supply Chain Integrity, Transparency and Trust (SCITT) initiative is a set of IETF standards for managing the compliance and auditability of goods and services across end-to-end supply chains. SCITT supports the ongoing verification of goods and services where the authenticity of entities, evidence, policy, and artifacts can be assured and the actions of entities can be guaranteed to be authorized, non-repudiable, immutable, and auditable.

To assure insights to supply chain artifacts are current, the SCITT APIs provide a correlation of statements, allowing verifiers to view a full history of statements. This includes previously registered statements, and newly registered statements providing the most up to date insights.

This quickstart will:

  1. create, or use an existing a key to sign a collection of statements about an artifact
  2. create and register a statement for the artifact
  3. create and register an attestation for the artifact
  4. query a collection of statements about the artifact

Prerequisites

DataTrails Sample Code

The Quickstart uses existing samples and scripts to focus on the SCITT APIs.

Clone the DataTrails SCITT Examples repository to copy those files to your environment.

git clone https://github.com/datatrails/datatrails-scitt-samples.git && \
cd datatrails-scitt-samples

Environment Configuration

  1. Create a Python Virtual Environment for the sample scripts and install the dependencies

    python -m  venv venv && \
    source venv/bin/activate && \
    pip install --upgrade pip && \
    pip install -r requirements.txt
    
  2. To ease copying and pasting commands, update any variables to fit your environment

    # your identity
    ISSUER="sample.synsation.io"
    
    # signing key to sign the SCITT Statements
    SIGNING_KEY="my-signing-key.pem"
    
    # File representing the signed statement to be registered
    SIGNED_STATEMENT_FILE="signed-statement.cbor"
    
    # Feed ID, used to correlate a collection of statements about an artifact
    FEED="my-product-id"
    

Create a Signing Key

If you already have a COSE Key, skip ahead to Generating a Payload

For the Quickstart, create a testing COSE Key which DataTrails will cryptographically validate upon registration

openssl ecparam -name prime256v1 -genkey -out $SIGNING_KEY

Generating a Payload

  1. Create a simple json payload

    cat > payload.json <<EOF
    {
        "author": "fred",
        "title": "my biography",
        "reviews": "mixed"
    }
    EOF
    
  2. Create a COSE Signed Statement for the payload.json file

    python scitt/create_signed_statement.py \
      --signing-key-file $SIGNING_KEY \
      --issuer $ISSUER \
      --feed $FEED \
      --content-type "application/json" \
      --payload-file payload.json \
      --output-file $SIGNED_STATEMENT_FILE
    
  3. Register the Statement

    OPERATION_ID=$(curl -X POST -H @$HOME/.datatrails/bearer-token.txt \
                    --data-binary @$SIGNED_STATEMENT_FILE \
                    https://app.datatrails.ai/archivist/v1/publicscitt/entries \
                    | jq -r .operationID)
    
  4. Monitor for the Statement to be anchored. Once "status": "succeeded", proceed to the next step

    ENTRY_ID=$(python scitt/check_operation_status.py --operation-id $OPERATION_ID)
    
  5. Retrieve a SCITT Receipt

    
    curl -H @$HOME/.datatrails/bearer-token.txt \
      https://app.datatrails.ai/archivist/v1/publicscitt/entries/$ENTRY_ID/receipt \
      -o receipt.cbor
    

Retrieve Statements for the Artifact

The power of SCITT is the ability to retrieve the history of statements made for a given artifact. By querying the series of statements, consumers can verify who did what and when for a given artifact.

  1. Query DataTrails for the collection of statements

    curl -H @$HOME/.datatrails/bearer-token.txt \
      "https://app.datatrails.ai/archivist/v2/publicassets/-/events?event_attributes.feed_id=$FEED" | jq
    
Coming soon: Filter on specific content types, such as what SBOMs have been registered, or which issuers have made statements.

Summary

The quickstart created a collection of statements for a given artifact. Over time, as new information is available, authors can publish new statements which verifiers and consumers can benefit from. There are no limits to the types of additional statements that may be registered, which may include new vulnerability information, notifications of new versions, end of life (EOL) notifications, or more. By using the content-type parameter, verifiers can filter to specific types, and/or filter statements by the issuer.

For more information: