Container provenance does not contain tags as subjects

[marcofranssen]

In our workflow we are adding the provenance for containers like this.

bin/slsa-provenance generate container --github-context "$(echo ${GITHUB_CONTEXT} | base64 -w 0)" --runner-context "$(echo ${RUNNER_CONTEXT} | base64 -w 0)" --repository philipssoftware/slsa-provenance --output-path provenance.att --digest sha256:e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7 --tags dddb40e199ae28d4cd2f17bad7f31545556fdd3d,v0.7.2
cat provenance.att | jq .predicate > provenance-predicate.att
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}

Doing so we only take the predicate part of the provenance we have generated. By doing so we do however drop our subjects and have cosign handle the subjects part.

See the difference below:

diff --git a/provenance.att b/cosign-provenance.att
index c5bea36..8f97668 100644
--- a/provenance.att
+++ b/cosign-provenance.att
@@ -2,13 +2,7 @@
   "_type": "https://in-toto.io/Statement/v0.1",
   "subject": [
     {
-      "name": "philipssoftware/slsa-provenance:dddb40e199ae28d4cd2f17bad7f31545556fdd3d",
-      "digest": {
-        "sha256": "e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7"
-      }
-    },
-    {
-      "name": "philipssoftware/slsa-provenance:v0.7.2",
+      "name": "ghcr.io/philips-labs/slsa-provenance",
       "digest": {
         "sha256": "e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7"
       }
@@ -30,7 +24,7 @@
       }
     },
     "metadata": {
-      "buildInvocationId": "https://github.com/philips-labs/slsa-provenance-action/actions/runs/1863884845",
+      "buildInvocationID": "https://github.com/philips-labs/slsa-provenance-action/actions/runs/1863884845",
       "buildFinishedOn": "2022-02-18T10:39:59Z",
       "completeness": {
         "parameters": true,

Will reach out to the cosign project to see how we want to handle this.