Slot: signingTool

URI or name of the tool used to cryptographically sign the artifact or attestation (e.g., "https://github.com/sigstore/cosign", "https://github.com/notaryproject/notation"). In the SSF reference architecture the Signing Service layer is distinct from the Build Service; recording the signing tool enables verifiers to select the matching verification workflow. For Sigstore keyless signing the value should be the Cosign release URI.

URI: slsa:signingTool Alias: signingTool

Applicable Classes

Name	Description	Modifies Slot
SourceProvenanceAttestation	An attestation describing how a source revision came to exist: where it was h...	no
Statement	The middle layer of an in-toto software attestation (Statement v1)	no
VerificationSummaryAttestation	An attestation predicate (predicateType "https://slsa	no
BuildEnvironmentAttestation	An attestation describing the integrity of a build environment at the time a ...	no
BuildProvenance	An attestation predicate (predicateType "https://slsa	no

Properties

Type and Range

Property	Value
Range	String
Domain Of	Statement

Cardinality and Requirements

Property	Value

In Subsets

• SlsaBuildTrack
• SlsaSourceTrack
• SlsaSsf

Identifier and Mapping Information

Schema Source

• from schema: https://w3id.org/lmodel/slsa

Mappings

Mapping Type	Mapped Value
self	slsa:signingTool
native	slsa:signingTool

LinkML Source

name: signingTool
description: URI or name of the tool used to cryptographically sign the artifact or
  attestation (e.g., "https://github.com/sigstore/cosign", "https://github.com/notaryproject/notation").
  In the SSF reference architecture the Signing Service layer is distinct from the
  Build Service; recording the signing tool enables verifiers to select the matching
  verification workflow. For Sigstore keyless signing the value should be the Cosign
  release URI.
in_subset:
- slsa_build_track
- slsa_source_track
- slsa_ssf
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: signingTool
domain_of:
- Statement
range: string