This package provides a Go CLI for generating in-toto compatible SCAI metadata. We assume a minimal Ubuntu 20.04+ platform.
First, install Go version 1.20 or higher following the Go installation instructions, as well as additional dependencies:
sudo apt install build-essential
Then, install the scai-gen Go module from this repo's root directory:
make go-modscai-gen can be used to generate JSON encoded in-toto Resource Descriptors, SCAI Attribute Assertions, and SCAI Attribute Reports.
scai-gen also provides a feature for checking DSSE-signed in-toto attestations against an in-toto Layout or a SCAI evidence policy. Examples can be found in the layouts and policies directories.
Local file:
scai-gen rd file -o <out-file> [-n <name>] [-u <URI>] [-l <download location>] [-t <media type>] <filename> Remote resource or service:
scai-gen rd remote -o <out-file> [-a <hash algorithm> -d <digest>] [-n <name>] <resource URI> scai-gen assert -o <out-file> [-e <evidence RD filename>] <attribute> Run scai-gen assert help for a full list of command-line options.
scai-gen report -o <out-file> [-e <evidence RD filename>] <attribute assertion file1> [<attribute assertion file2> ...]Run scai-gen report help for a full list of command-line options.
scai-gen check layout -l <layout-file> <SCAI attestation file1> [<SCAI attestation file2> ...]The scai-gen check evidence command currently only supports checking
policies about evidence that is located locally. Support for checking
evidence formats other than plaintext or in-toto attestations is upcoming.
scai-gen check evidence -p <policy-file> -e <evidence-directory> <SCAI attestation file>Run scai-gen check help for a full list of command-line options.