From ba97630c9d2625d99dca9f62273f7b5e273c6703 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Wed, 30 Oct 2024 07:31:41 -0400
Subject: [PATCH 01/13] add back bundle support

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/generator_generic_slsa3.yml |   2 +-
 CHANGELOG.md                                  |  10 ++
 github/oidc.go                                |   9 +-
 go.mod                                        |   5 +-
 go.sum                                        |  20 ++-
 internal/builders/generic/attest.go           |   9 +-
 internal/builders/generic/attest_test.go      |  12 +-
 internal/builders/generic/main.go             |   2 +-
 internal/builders/go/main.go                  |  11 +-
 internal/builders/go/pkg/provenance.go        |  11 +-
 internal/builders/go/pkg/provenance_test.go   |  11 +-
 signing/sigstore/bundle.go                    | 146 ++++++++++++++++++
 12 files changed, 204 insertions(+), 44 deletions(-)
 create mode 100644 signing/sigstore/bundle.go

diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml
index 3b3d58fb17..7a3836416f 100644
--- a/.github/workflows/generator_generic_slsa3.yml
+++ b/.github/workflows/generator_generic_slsa3.yml
@@ -160,7 +160,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: "1.21"
+          go-version: "1.23.1"
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-generator }}"
           directory: "${{ env.BUILDER_DIR }}"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6b9a7e3fef..9c321f14d9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!-- toc -->
 
 - [Unreleased](#unreleased)
+  - [Unreleased: Sigstore Bundles for Generic Generator and Go Builder](#unreleased-sigstore-bundles-for-generic-generator-and-go-builder)
   - [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance)
 - [v2.0.0](#v200)
   - [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact)
@@ -106,6 +107,15 @@ duplication."
 
 ## Unreleased
 
+### Unreleased: Sigstore Bundles for Generic Generator and Go Builder
+
+The workflows `generator_generic_slsa3.yml` and `builder_go_slsa3.yml`
+have been updated to produce signed Sigstore Bundles, just like all the other builders
+that use the BYOB framework.
+
+The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on
+https://search.sigstore.dev/.
+
 ### Unreleased: Vars context recorded in provenance
 
 - **Updated**: GitHub `vars` context is now recorded in provenance for the generic and
diff --git a/github/oidc.go b/github/oidc.go
index be74e39543..330817dd75 100644
--- a/github/oidc.go
+++ b/github/oidc.go
@@ -39,6 +39,9 @@ const (
 
 // OIDCToken represents the contents of a GitHub OIDC JWT token.
 type OIDCToken struct {
+	// Expiry is the expiration date of the token.
+	Expiry time.Time
+
 	// Issuer is the token issuer.
 	Issuer string
 
@@ -54,8 +57,8 @@ type OIDCToken struct {
 	// ActorID is the unique ID of the actor who triggered the build.
 	ActorID string `json:"actor_id"`
 
-	// Expiry is the expiration date of the token.
-	Expiry time.Time
+	// RawToken is the unparsed oidc token.
+	RawToken string
 
 	// Audience is the audience for which the token was granted.
 	Audience []string
@@ -247,6 +250,8 @@ func (c *OIDCClient) Token(ctx context.Context, audience []string) (*OIDCToken,
 		return nil, err
 	}
 
+	token.RawToken = tokenPayload
+
 	return token, nil
 }
 
diff --git a/go.mod b/go.mod
index f96930c93e..a0d310d585 100644
--- a/go.mod
+++ b/go.mod
@@ -14,6 +14,7 @@ require (
 	github.com/sigstore/cosign/v2 v2.4.1
 	github.com/sigstore/rekor v1.3.6
 	github.com/sigstore/sigstore v1.8.10
+	github.com/sigstore/sigstore-go v0.6.1
 	github.com/spf13/cobra v1.8.1
 	golang.org/x/oauth2 v0.23.0
 	gopkg.in/square/go-jose.v2 v2.6.0
@@ -45,7 +46,7 @@ require (
 	github.com/alibabacloud-go/debug v1.0.0 // indirect
 	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
 	github.com/alibabacloud-go/openapi-util v0.1.0 // indirect
-	github.com/alibabacloud-go/tea v1.2.1 // indirect
+	github.com/alibabacloud-go/tea v1.2.2 // indirect
 	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
 	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
 	github.com/aliyun/credentials-go v1.3.2 // indirect
@@ -120,6 +121,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/in-toto/attestation v1.1.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -165,6 +167,7 @@ require (
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
diff --git a/go.sum b/go.sum
index c84eaaa2ed..a1454fad59 100644
--- a/go.sum
+++ b/go.sum
@@ -102,8 +102,8 @@ github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeG
 github.com/alibabacloud-go/tea v1.1.11/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=
 github.com/alibabacloud-go/tea v1.1.17/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A=
 github.com/alibabacloud-go/tea v1.1.19/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A=
-github.com/alibabacloud-go/tea v1.2.1 h1:rFF1LnrAdhaiPmKwH5xwYOKlMh66CqRwPUTzIK74ask=
-github.com/alibabacloud-go/tea v1.2.1/go.mod h1:qbzof29bM/IFhLMtJPrgTGK3eauV5J2wSyEUo4OEmnA=
+github.com/alibabacloud-go/tea v1.2.2 h1:aTsR6Rl3ANWPfqeQugPglfurloyBJY85eFy7Gc1+8oU=
+github.com/alibabacloud-go/tea v1.2.2/go.mod h1:CF3vOzEMAG+bR4WOql8gc2G9H3EkH3ZLAQdpmpXMgwk=
 github.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE=
 github.com/alibabacloud-go/tea-utils v1.3.9/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE=
 github.com/alibabacloud-go/tea-utils v1.4.3/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw=
@@ -280,6 +280,8 @@ github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg=
 github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM=
 github.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA=
 github.com/go-rod/rod v0.116.2/go.mod h1:H+CMO9SCNc2TJ2WfrG+pKhITz57uGNYU43qYHh438Mg=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
@@ -385,6 +387,9 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
 github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2wMvfPJU=
 github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI=
+github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
 github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
 github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU=
@@ -536,6 +541,8 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm
 github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/sigstore/cosign/v2 v2.4.1 h1:b8UXEfJFks3hmTwyxrRNrn6racpmccUycBHxDMkEPvU=
@@ -682,8 +689,8 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
 golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
@@ -722,8 +729,8 @@ golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
 golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -765,8 +772,8 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
 golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
@@ -776,8 +783,8 @@ golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
 golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
@@ -790,7 +797,6 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
diff --git a/internal/builders/generic/attest.go b/internal/builders/generic/attest.go
index d38ba2b4ff..4bb9bba1f4 100644
--- a/internal/builders/generic/attest.go
+++ b/internal/builders/generic/attest.go
@@ -23,9 +23,9 @@ import (
 	"os"
 	"path"
 
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/spf13/cobra"
 
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/slsa-framework/slsa-github-generator/github"
 	"github.com/slsa-framework/slsa-github-generator/internal/builders/common"
 	"github.com/slsa-framework/slsa-github-generator/internal/utils"
@@ -35,7 +35,7 @@ import (
 
 // attestCmd returns the 'attest' command.
 func attestCmd(provider slsa.ClientProvider, check func(error),
-	signer signing.Signer, tlog signing.TransparencyLog,
+	signer signing.Signer,
 ) *cobra.Command {
 	var attPath string
 	var subjectsFilename string
@@ -44,7 +44,7 @@ func attestCmd(provider slsa.ClientProvider, check func(error),
 		Use:   "attest",
 		Short: "Create a signed SLSA provenance attestation from a Github Action",
 		Long: `Generate and sign SLSA provenance from a Github Action to form an attestation
-and upload to a Rekor transparency log. This command assumes that it is being
+and create a Sigstore Bundle. This command assumes that it is being
 run in the context of a Github Actions workflow.`,
 
 		Run: func(_ *cobra.Command, _ []string) {
@@ -114,9 +114,6 @@ run in the context of a Github Actions workflow.`,
 				})
 				check(err)
 
-				_, err = tlog.Upload(ctx, att)
-				check(err)
-
 				attBytes = att.Bytes()
 			}
 
diff --git a/internal/builders/generic/attest_test.go b/internal/builders/generic/attest_test.go
index dc7564eec1..6399ec0eff 100644
--- a/internal/builders/generic/attest_test.go
+++ b/internal/builders/generic/attest_test.go
@@ -249,7 +249,7 @@ func Test_attestCmd_default_single_artifact(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -294,7 +294,7 @@ b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  artifact2`)))
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -337,7 +337,7 @@ func Test_attestCmd_custom_provenance_name(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -393,7 +393,7 @@ func Test_attestCmd_invalid_extension(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -447,7 +447,7 @@ func Test_attestCmd_invalid_path(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -491,7 +491,7 @@ func Test_attestCmd_subdirectory_artifact(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
diff --git a/internal/builders/generic/main.go b/internal/builders/generic/main.go
index 06e4b1e7cc..329152f75c 100644
--- a/internal/builders/generic/main.go
+++ b/internal/builders/generic/main.go
@@ -36,7 +36,7 @@ For more information on SLSA, visit https://slsa.dev`,
 		},
 	}
 	c.AddCommand(versionCmd())
-	c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultFulcio(), sigstore.NewDefaultRekor()))
+	c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultBundleSigner()))
 	return c
 }
 
diff --git a/internal/builders/go/main.go b/internal/builders/go/main.go
index 0c5d3a4008..92e539270c 100644
--- a/internal/builders/go/main.go
+++ b/internal/builders/go/main.go
@@ -75,11 +75,11 @@ func runBuild(dry bool, configFile, evalEnvs string) error {
 	return nil
 }
 
-func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor string) error {
-	r := sigstore.NewRekor(rekor)
-	s := sigstore.NewDefaultFulcio()
+func runProvenanceGeneration(subject, digest, commands, envs, workingDir string) error {
+	s := sigstore.NewDefaultBundleSigner()
+
 	attBytes, err := pkg.GenerateProvenance(subject, digest,
-		commands, envs, workingDir, s, r, nil)
+		commands, envs, workingDir, s, nil)
 	if err != nil {
 		return err
 	}
@@ -118,7 +118,6 @@ func main() {
 	provenanceCommand := provenanceCmd.String("command", "", "command used to compile the binary")
 	provenanceEnv := provenanceCmd.String("env", "", "env variables used to compile the binary")
 	provenanceWorkingDir := provenanceCmd.String("workingDir", "", "working directory used to issue compilation commands")
-	provenanceRekor := provenanceCmd.String("rekor", sigstore.DefaultRekorAddr, "rekor server to use for provenance")
 
 	// Expect a sub-command.
 	if len(os.Args) < 2 {
@@ -145,7 +144,7 @@ func main() {
 		}
 
 		err := runProvenanceGeneration(*provenanceName, *provenanceDigest,
-			*provenanceCommand, *provenanceEnv, *provenanceWorkingDir, *provenanceRekor)
+			*provenanceCommand, *provenanceEnv, *provenanceWorkingDir)
 		check(err)
 
 	default:
diff --git a/internal/builders/go/pkg/provenance.go b/internal/builders/go/pkg/provenance.go
index 6791650592..787f7fbc93 100644
--- a/internal/builders/go/pkg/provenance.go
+++ b/internal/builders/go/pkg/provenance.go
@@ -65,7 +65,7 @@ func (b *goProvenanceBuild) BuildConfig(context.Context) (interface{}, error) {
 // attestation.
 // Spec: https://slsa.dev/provenance/v0.2
 func GenerateProvenance(name, digest, command, envs, workingDir string,
-	s signing.Signer, r signing.TransparencyLog, provider slsa.ClientProvider,
+	s signing.Signer, provider slsa.ClientProvider,
 ) ([]byte, error) {
 	gh, err := github.GetWorkflowContext()
 	if err != nil {
@@ -180,14 +180,5 @@ func GenerateProvenance(name, digest, command, envs, workingDir string,
 	if err != nil {
 		return nil, err
 	}
-
-	// Upload the signed attestation to rekor.
-	logEntry, err := r.Upload(ctx, att)
-	if err != nil {
-		return nil, err
-	}
-
-	fmt.Printf("Uploaded signed attestation to rekor with UUID %s.\n", logEntry.UUID())
-
 	return att.Bytes(), nil
 }
diff --git a/internal/builders/go/pkg/provenance_test.go b/internal/builders/go/pkg/provenance_test.go
index a6770ca07c..47d059e5b3 100644
--- a/internal/builders/go/pkg/provenance_test.go
+++ b/internal/builders/go/pkg/provenance_test.go
@@ -21,7 +21,7 @@ import (
 	"github.com/slsa-framework/slsa-github-generator/slsa"
 )
 
-func TestGenerateProvenance_withErr(t *testing.T) {
+func TestGenerateProvenance(t *testing.T) {
 	// Disable pre-submit detection.
 	// TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove
 	t.Setenv("GITHUB_EVENT_NAME", "non_event")
@@ -30,10 +30,13 @@ func TestGenerateProvenance_withErr(t *testing.T) {
 	sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2"
 	_, err := GenerateProvenance(
 		"foo", sha256, "", "", "/home/foo",
-		&testutil.TestSigner{}, &testutil.TransparencyLogWithErr{},
+		&testutil.TestSigner{},
 		&slsa.NilClientProvider{},
 	)
-	if want, got := testutil.ErrTransparencyLog, err; want != got {
-		t.Errorf("expected error, want: %v, got: %v", want, got)
+
+	var want error
+	got := err
+	if want != got {
+		t.Errorf("unexpected error, want: %v, got: %v", want, got)
 	}
 }
diff --git a/signing/sigstore/bundle.go b/signing/sigstore/bundle.go
new file mode 100644
index 0000000000..d1f0e9b88c
--- /dev/null
+++ b/signing/sigstore/bundle.go
@@ -0,0 +1,146 @@
+// Copyright 2022 SLSA Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sigstore
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	sigstoreBundle "github.com/sigstore/sigstore-go/pkg/bundle"
+	sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root"
+	sigstoreSign "github.com/sigstore/sigstore-go/pkg/sign"
+	"github.com/slsa-framework/slsa-github-generator/github"
+	"github.com/slsa-framework/slsa-github-generator/signing"
+)
+
+// BundleSigner is used to produce Sigstore Bundles from provenance statements.
+type BundleSigner struct{}
+
+type sigstoreBundleAtt struct {
+	cert []byte
+	att  []byte
+}
+
+// Cert returns the certificate used to sign the Bundle.
+func (s *sigstoreBundleAtt) Cert() []byte {
+	return s.cert
+}
+
+// attestation is a signed Sigstore Bundle.
+func (s *sigstoreBundleAtt) Bytes() []byte {
+	return s.att
+}
+
+// NewDefaultBundleSigner creates a new BundleSigner instance.
+func NewDefaultBundleSigner() *BundleSigner {
+	return &BundleSigner{}
+}
+
+// Sign signs the given provenance statement and returns the signed Sigstore Bundle.
+func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (signing.Attestation, error) {
+	// content to sign
+	statementBytes, err := json.Marshal(*statement)
+	if err != nil {
+		return nil, err
+	}
+	content := &sigstoreSign.DSSEData{
+		Data:        statementBytes,
+		PayloadType: intoto.PayloadType,
+	}
+
+	// keypair for the certificate
+	keypair, err := sigstoreSign.NewEphemeralKeypair(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	// get the oidc token.
+	oidcClient, err := github.NewOIDCClient()
+	if err != nil {
+		return nil, err
+	}
+	tokenStruct, err := oidcClient.Token(ctx, []string{"sigstore"})
+	if err != nil {
+		return nil, err
+	}
+	rawToken := tokenStruct.RawToken
+
+	// signing opts.
+	bundleOpts, err := getBundleOpts(ctx, &rawToken)
+	if err != nil {
+		return nil, err
+	}
+
+	// sign.
+	innerBundle, err := sigstoreSign.Bundle(content, keypair, *bundleOpts)
+	if err != nil {
+		return nil, err
+	}
+
+	// print the logIndex.
+	// Bundle will have already verified that the TLog entries are signed.
+	logIndex := innerBundle.GetVerificationMaterial().GetTlogEntries()[0].GetLogIndex()
+	fmt.Printf("Signed attestation is in rekor with Log Index %d.\n", logIndex)
+	fmt.Printf("You could use rekor-cli to view the log entry details:\n\n"+
+		"  $ rekor-cli get --log-index %[1]d\n\n"+
+		"In addition to that, you could also use the Rekor Search UI:\n\n"+
+		"  https://search.sigstore.dev/?logIndex=%[1]d", logIndex)
+
+	// marshall to json.
+	bundleWrapper := &sigstoreBundle.Bundle{
+		Bundle: innerBundle,
+	}
+	bundleBytes, err := bundleWrapper.MarshalJSON()
+	if err != nil {
+		return nil, err
+	}
+	bundleAtt := &sigstoreBundleAtt{
+		cert: innerBundle.GetVerificationMaterial().GetCertificate().GetRawBytes(),
+		att:  bundleBytes,
+	}
+	return bundleAtt, nil
+}
+
+// getBundleOpts provides the opts for sigstoreSign.Bundle().
+func getBundleOpts(
+	ctx context.Context,
+	identityToken *string,
+) (*sigstoreSign.BundleOptions, error) {
+	bundleOpts := &sigstoreSign.BundleOptions{
+		Context: ctx,
+	}
+
+	trustedRoot, err := sigstoreRoot.FetchTrustedRoot()
+	if err != nil {
+		return nil, err
+	}
+	bundleOpts.TrustedRoot = trustedRoot
+
+	fulcioOpts := &sigstoreSign.FulcioOptions{
+		BaseURL: defaultFulcioAddr,
+	}
+	bundleOpts.CertificateProvider = sigstoreSign.NewFulcio(fulcioOpts)
+	bundleOpts.CertificateProviderOptions = &sigstoreSign.CertificateProviderOptions{
+		IDToken: *identityToken,
+	}
+
+	rekorOpts := &sigstoreSign.RekorOptions{
+		BaseURL: DefaultRekorAddr,
+	}
+	bundleOpts.TransparencyLogs = append(bundleOpts.TransparencyLogs, sigstoreSign.NewRekor(rekorOpts))
+	return bundleOpts, nil
+}

From 487bc3b6130a84a65459735e9f560a315a243a63 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Thu, 31 Oct 2024 11:34:59 -0400
Subject: [PATCH 02/13] test: add pre-submit generic e2e against
 slsa-verifier@main

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .../workflows/pre-submit.e2e.generic.main.yml | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 .github/workflows/pre-submit.e2e.generic.main.yml

diff --git a/.github/workflows/pre-submit.e2e.generic.main.yml b/.github/workflows/pre-submit.e2e.generic.main.yml
new file mode 100644
index 0000000000..5b1f0b0f44
--- /dev/null
+++ b/.github/workflows/pre-submit.e2e.generic.main.yml
@@ -0,0 +1,78 @@
+# Copyright 2023 SLSA Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: pre-submit e2e generic main
+
+on:
+  pull_request:
+    branches: [main]
+  merge_group:
+  workflow_dispatch:
+
+permissions: read-all
+
+env:
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  BUILD_ARTIFACT: build-artifact
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - run: echo "gundam" > build-artifact
+      - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        with:
+          name: ${{ env.BUILD_ARTIFACT }}
+          path: ./${{ env.BUILD_ARTIFACT }}
+          if-no-files-found: error
+      - name: Generate hashes
+        shell: bash
+        id: hash
+        env:
+          FILE: ${{ env.BUILD_ARTIFACT }}
+        run: |
+          echo "hashes=$(sha256sum $FILE | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  attest:
+    needs: [build]
+    permissions:
+      id-token: write # For signing.
+      contents: write # For asset uploads.
+      actions: read # For reading workflow info.
+    uses: ./.github/workflows/generator_generic_slsa3.yml
+    with:
+      base64-subjects: ${{ needs.build.outputs.hashes }}
+      compile-generator: true
+      provenance-name: build.intoto.jsonl
+
+  verify:
+    needs: [build, attest]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ env.BUILD_ARTIFACT }}
+      - run: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@main
+      - env:
+          SLSA_VERIFIER_TESTING: "true"
+          ARTIFACT: ./${{ env.BUILD_ARTIFACT }}
+          PROVENANCE: ./${{ needs.attest.outputs.provenance-name }}
+          SOURCE: github.com/${{ env.GITHUB_REPOSITORY }}
+          REF: ${{ env.GITHUB_REF }}
+        run: slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
+              --source-uri "$SOURCE" \
+              --source-tag "$REF" \
+              "$ARTIFACT"

From 21afd34eb072dd99bb0c217e666d292a392e3890 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 18 Nov 2024 11:59:23 -0500
Subject: [PATCH 03/13] schedule

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/pre-submit.e2e.generic.main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pre-submit.e2e.generic.main.yml b/.github/workflows/pre-submit.e2e.generic.main.yml
index 5b1f0b0f44..7978259f07 100644
--- a/.github/workflows/pre-submit.e2e.generic.main.yml
+++ b/.github/workflows/pre-submit.e2e.generic.main.yml
@@ -15,6 +15,9 @@
 name: pre-submit e2e generic main
 
 on:
+  # Daily run.
+  schedule:
+    - cron: "0 4 * * *"
   pull_request:
     branches: [main]
   merge_group:

From 2116d5fa115d88b2b4e91fb63689459b66d41847 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 18 Nov 2024 12:14:24 -0500
Subject: [PATCH 04/13] setup-go

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/pre-submit.e2e.generic.main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/pre-submit.e2e.generic.main.yml b/.github/workflows/pre-submit.e2e.generic.main.yml
index 7978259f07..b232cfb708 100644
--- a/.github/workflows/pre-submit.e2e.generic.main.yml
+++ b/.github/workflows/pre-submit.e2e.generic.main.yml
@@ -68,6 +68,7 @@ jobs:
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ env.BUILD_ARTIFACT }}
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       - run: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@main
       - env:
           SLSA_VERIFIER_TESTING: "true"

From a1dbc5abea9778e20f89c9cd45b8b68cf802949b Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 18 Nov 2024 12:21:00 -0500
Subject: [PATCH 05/13] format

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/pre-submit.e2e.generic.main.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pre-submit.e2e.generic.main.yml b/.github/workflows/pre-submit.e2e.generic.main.yml
index b232cfb708..b533e350f3 100644
--- a/.github/workflows/pre-submit.e2e.generic.main.yml
+++ b/.github/workflows/pre-submit.e2e.generic.main.yml
@@ -75,8 +75,7 @@ jobs:
           ARTIFACT: ./${{ env.BUILD_ARTIFACT }}
           PROVENANCE: ./${{ needs.attest.outputs.provenance-name }}
           SOURCE: github.com/${{ env.GITHUB_REPOSITORY }}
-          REF: ${{ env.GITHUB_REF }}
-        run: slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
+        run: slsa-verifier verify-artifact \
+              --provenance-path "$PROVENANCE" \
               --source-uri "$SOURCE" \
-              --source-tag "$REF" \
               "$ARTIFACT"

From 975b2d776deba5383215252c0a1ae073289e9a1a Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 18 Nov 2024 12:30:22 -0500
Subject: [PATCH 06/13] test: default client provider

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 internal/builders/generic/attest.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/builders/generic/attest.go b/internal/builders/generic/attest.go
index 4bb9bba1f4..814379851d 100644
--- a/internal/builders/generic/attest.go
+++ b/internal/builders/generic/attest.go
@@ -88,7 +88,7 @@ run in the context of a Github Actions workflow.`,
 				b.WithClients(provider)
 			} else if utils.IsPresubmitTests() {
 				// TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove
-				b.WithClients(&slsa.NilClientProvider{})
+				b.WithClients(&slsa.DefaultClientProvider{})
 			}
 
 			g := slsa.NewHostedActionsGenerator(&b)
@@ -96,7 +96,7 @@ run in the context of a Github Actions workflow.`,
 				g.WithClients(provider)
 			} else if utils.IsPresubmitTests() {
 				// TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove
-				g.WithClients(&slsa.NilClientProvider{})
+				g.WithClients(&slsa.DefaultClientProvider{})
 			}
 
 			p, err := g.Generate(ctx)

From ec5aa6e68e05035f5cd07f6ba6a89d8d2ebeb350 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 18 Nov 2024 12:39:45 -0500
Subject: [PATCH 07/13] reorder verify args

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/pre-submit.e2e.generic.main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pre-submit.e2e.generic.main.yml b/.github/workflows/pre-submit.e2e.generic.main.yml
index b533e350f3..0be4112983 100644
--- a/.github/workflows/pre-submit.e2e.generic.main.yml
+++ b/.github/workflows/pre-submit.e2e.generic.main.yml
@@ -76,6 +76,6 @@ jobs:
           PROVENANCE: ./${{ needs.attest.outputs.provenance-name }}
           SOURCE: github.com/${{ env.GITHUB_REPOSITORY }}
         run: slsa-verifier verify-artifact \
+              "$ARTIFACT" \
               --provenance-path "$PROVENANCE" \
-              --source-uri "$SOURCE" \
-              "$ARTIFACT"
+              --source-uri "$SOURCE"

From 59ee237c0679863ab452555b2af8d884916fa0cb Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 18 Nov 2024 12:46:15 -0500
Subject: [PATCH 08/13] awlays sign

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 internal/builders/generic/attest.go | 32 +++++++++++++++++------------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/internal/builders/generic/attest.go b/internal/builders/generic/attest.go
index 814379851d..054873817e 100644
--- a/internal/builders/generic/attest.go
+++ b/internal/builders/generic/attest.go
@@ -17,7 +17,6 @@ package main
 import (
 	"context"
 	"crypto/sha256"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
@@ -104,18 +103,25 @@ run in the context of a Github Actions workflow.`,
 
 			// Note: the path is validated within CreateNewFileUnderCurrentDirectory().
 			var attBytes []byte
-			if utils.IsPresubmitTests() {
-				attBytes, err = json.Marshal(p)
-				check(err)
-			} else {
-				att, err := signer.Sign(ctx, &intoto.Statement{
-					StatementHeader: p.StatementHeader,
-					Predicate:       p.Predicate,
-				})
-				check(err)
-
-				attBytes = att.Bytes()
-			}
+			// if utils.IsPresubmitTests() {
+			// 	attBytes, err = json.Marshal(p)
+			// 	check(err)
+			// } else {
+			// 	att, err := signer.Sign(ctx, &intoto.Statement{
+			// 		StatementHeader: p.StatementHeader,
+			// 		Predicate:       p.Predicate,
+			// 	})
+			// 	check(err)
+
+			// 	attBytes = att.Bytes()
+			// }
+			att, err := signer.Sign(ctx, &intoto.Statement{
+				StatementHeader: p.StatementHeader,
+				Predicate:       p.Predicate,
+			})
+			check(err)
+
+			attBytes = att.Bytes()
 
 			f, err := utils.CreateNewFileUnderCurrentDirectory(attPath, os.O_WRONLY)
 			check(err)

From 0fc212666ec9d67b787bddc264a9558a9055174f Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 18 Nov 2024 12:54:00 -0500
Subject: [PATCH 09/13] reformat

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/pre-submit.e2e.generic.main.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pre-submit.e2e.generic.main.yml b/.github/workflows/pre-submit.e2e.generic.main.yml
index 0be4112983..d137f9f322 100644
--- a/.github/workflows/pre-submit.e2e.generic.main.yml
+++ b/.github/workflows/pre-submit.e2e.generic.main.yml
@@ -74,8 +74,7 @@ jobs:
           SLSA_VERIFIER_TESTING: "true"
           ARTIFACT: ./${{ env.BUILD_ARTIFACT }}
           PROVENANCE: ./${{ needs.attest.outputs.provenance-name }}
-          SOURCE: github.com/${{ env.GITHUB_REPOSITORY }}
-        run: slsa-verifier verify-artifact \
-              "$ARTIFACT" \
+          SOURCE: github.com/${{ github.repository }}
+        run: slsa-verifier verify-artifact "$ARTIFACT" \
               --provenance-path "$PROVENANCE" \
               --source-uri "$SOURCE"

From 451eff8474855e2b96015d8f6a2dd9691b445d2f Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 18 Nov 2024 13:00:01 -0500
Subject: [PATCH 10/13] multiline invocation

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/pre-submit.e2e.generic.main.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pre-submit.e2e.generic.main.yml b/.github/workflows/pre-submit.e2e.generic.main.yml
index d137f9f322..18c969918a 100644
--- a/.github/workflows/pre-submit.e2e.generic.main.yml
+++ b/.github/workflows/pre-submit.e2e.generic.main.yml
@@ -75,6 +75,7 @@ jobs:
           ARTIFACT: ./${{ env.BUILD_ARTIFACT }}
           PROVENANCE: ./${{ needs.attest.outputs.provenance-name }}
           SOURCE: github.com/${{ github.repository }}
-        run: slsa-verifier verify-artifact "$ARTIFACT" \
-              --provenance-path "$PROVENANCE" \
-              --source-uri "$SOURCE"
+        run: |
+          slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
+                                        --source-uri "$SOURCE" \
+                                        "$ARTIFACT"
\ No newline at end of file

From 2a228d580a57608e82f264eb667f8995ab1b0ff3 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 18 Nov 2024 13:10:51 -0500
Subject: [PATCH 11/13] lint

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/pre-submit.e2e.generic.main.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pre-submit.e2e.generic.main.yml b/.github/workflows/pre-submit.e2e.generic.main.yml
index 18c969918a..25dbb2d7a2 100644
--- a/.github/workflows/pre-submit.e2e.generic.main.yml
+++ b/.github/workflows/pre-submit.e2e.generic.main.yml
@@ -76,6 +76,6 @@ jobs:
           PROVENANCE: ./${{ needs.attest.outputs.provenance-name }}
           SOURCE: github.com/${{ github.repository }}
         run: |
-          slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
-                                        --source-uri "$SOURCE" \
-                                        "$ARTIFACT"
\ No newline at end of file
+          slsa-verifier verify-artifact "$ARTIFACT" \
+            --provenance-path "$PROVENANCE" \
+            --source-uri "$SOURCE"

From bf11fd5de81f786b9049b2e80031fc64a91a5022 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 18 Nov 2024 18:52:26 +0000
Subject: [PATCH 12/13] lint

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/pre-submit.e2e.generic.main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pre-submit.e2e.generic.main.yml b/.github/workflows/pre-submit.e2e.generic.main.yml
index 25dbb2d7a2..abcb8677bf 100644
--- a/.github/workflows/pre-submit.e2e.generic.main.yml
+++ b/.github/workflows/pre-submit.e2e.generic.main.yml
@@ -47,7 +47,7 @@ jobs:
         env:
           FILE: ${{ env.BUILD_ARTIFACT }}
         run: |
-          echo "hashes=$(sha256sum $FILE | base64 -w0)" >> "$GITHUB_OUTPUT"
+          echo "hashes=$(sha256sum "${FILE}" | base64 -w0)" >> "${GITHUB_OUTPUT}"
 
   attest:
     needs: [build]

From 9ea12ef9531a8f55cf4612abf7ee4733ab683194 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Wed, 20 Nov 2024 02:50:37 -0500
Subject: [PATCH 13/13] extract provenance

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/scripts/pre-submit.e2e.generic.default.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scripts/pre-submit.e2e.generic.default.sh b/.github/workflows/scripts/pre-submit.e2e.generic.default.sh
index 377753e818..d7acc62565 100755
--- a/.github/workflows/scripts/pre-submit.e2e.generic.default.sh
+++ b/.github/workflows/scripts/pre-submit.e2e.generic.default.sh
@@ -19,7 +19,8 @@ set -euo pipefail
 source "./.github/workflows/scripts/e2e-verify.common.sh"
 
 # TODO(github.com/slsa-framework/slsa-github-generator/issues/129): Address base64 output format.
-ATTESTATION=$(cat "$PROVENANCE")
+# ATTESTATION=$(cat "$PROVENANCE")
+ATTESTATION=$(cat "$PROVENANCE" | jq -r '.dsseEnvelope.payload' | base64 -d | jq)
 
 # Verify common provenance fields.
 e2e_verify_common_all "$ATTESTATION"