veraison · Sukuna0007Abhi · Sep 23, 2025 · Oct 2, 2025 · Oct 2, 2025 · Oct 2, 2025
diff --git a/.github/workflows/generate-attestations.yml b/.github/workflows/generate-attestations.yml
@@ -0,0 +1,44 @@
+name: Generate Artifact Attestations
+
+on:
+  workflow_dispatch:  # Allow manual trigger
+  push:
+    tags:
+      - 'v*'  # Run on version tags
+      - 'demo-*'  # Run on demo releases
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write  # Needed for GitHub OIDC token
+
+jobs:
+  generate-attestation:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Generate .deb package
+        run: make deb-package
+
+      - name: Sign and generate attestation
+        uses: slsa-framework/slsa-github-generator@v1
+        with:
+          base64-subjects: ${{ steps.hash.outputs.hashes }}
+          provenance-trigger: 'tag'
+
+      - name: Upload attestation
+        uses: actions/upload-artifact@v3
+        with:
+          name: attestations
+          path: |
+            *.intoto.jsonl
+            *.sig
+
+      - name: Attach to release
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            *.intoto.jsonl
+            *.sig
diff --git a/deployments/debian/debian/postinst b/deployments/debian/debian/postinst
@@ -24,5 +24,28 @@ if [ "$1" = "configure" ]; then
 
 	chmod 0500 /opt/veraison/certs/*.key
 
+	# Generate installation metadata
+	METADATA_FILE="/usr/share/veraison/installation.json"
+	METADATA_DIR="$(dirname "$METADATA_FILE")"
+	VERSION="$(dpkg-query -W -f='${Version}' veraison 2>/dev/null || echo 'unknown')"
+	INSTALL_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+	ARCH="$(dpkg --print-architecture)"
+
+	mkdir -p "$METADATA_DIR"
+
+	cat > "$METADATA_FILE" <<EOF
+{
+  "version": "${VERSION}",
+  "deployment_method": "deb",
+  "install_time": "${INSTALL_TIME}",
+  "metadata": {
+    "package": "veraison",
+    "architecture": "${ARCH}"
+  }
+}
+EOF
+
+	chmod 644 "$METADATA_FILE"
+
 	/opt/veraison/bin/veraison -s start-services
 fi
diff --git a/deployments/docker/src/verification.docker b/deployments/docker/src/verification.docker
@@ -3,6 +3,9 @@
 # directory (/tmp/veraison is the default for make build).
 FROM debian AS veraison-verification
 
+ARG VERSION=unknown
+ARG BUILD_TIME
+
 RUN apt-get update \
     && DEBIAN_FRONTEND=noninteractive apt-get install \
         --assume-yes \
@@ -27,6 +30,17 @@ WORKDIR /opt/veraison
 
 RUN mkdir logs
 
+# Generate installation metadata
+RUN echo "{\n\
+  \"version\": \"${VERSION}\",\n\
+  \"deployment_method\": \"docker\",\n\
+  \"install_time\": \"${BUILD_TIME}\",\n\
+  \"metadata\": {\n\
+    \"service\": \"verification\",\n\
+    \"image\": \"veraison/verification:${VERSION}\"\n\
+  }\n\
+}" > /opt/veraison/installation.json
+
 ADD --chown=veraison:nogroup config.yaml verification-service service-entrypoint \
     certs/verification.crt certs/verification.key ./
 

diff --git a/deployments/native/deployment.sh b/deployments/native/deployment.sh
@@ -171,6 +171,9 @@ function create_deployment() {
 
 	_deploy_env
 
+	# Generate installation metadata
+	_generate_installation_metadata
+
 	if [[ $_force_systemd == true ]]; then
 		_deploy_systemd_units
 	elif [[ $_force_launchd == true ]]; then
@@ -465,6 +468,27 @@ function _deploy_launchd_units() {
 	done
 }
 
+function _generate_installation_metadata() {
+	local metadata_file="${DEPLOYMENT_DEST}/installation.json"
+	local version=$(cd ${ROOT_DIR} && git describe --tags --always 2>/dev/null || echo "unknown")
+	local install_time=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+	cat > "${metadata_file}" <<EOF
+{
+  "version": "${version}",
+  "deployment_method": "native",
+  "install_time": "${install_time}",
+  "metadata": {
+    "deployment_dest": "${DEPLOYMENT_DEST}",
+    "platform": "$(uname -s)"
+  }
+}
+EOF
+
+	chmod 644 "${metadata_file}"
+	echo "Installation metadata written to ${metadata_file}"
+}
+
 
 function _deploy_certs() {
 	for service in "${_SERVICES[@]}"; do

diff --git a/deployments/rpm/veraison-services.spec.template b/deployments/rpm/veraison-services.spec.template
@@ -137,6 +137,29 @@ if [ ! -f %{_sysconfdir}/%{name}/signing/skey.jwk ]; then
 fi
 %{_bindir}/veraison -s start-services
 
+# Generate installation metadata
+METADATA_FILE="/%{_prefix}/share/veraison/installation.json"
+METADATA_DIR="$(dirname "$METADATA_FILE")"
+VERSION="%{version}"
+INSTALL_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+ARCH="%{_arch}"
+
+mkdir -p "$METADATA_DIR"
+
+cat > "$METADATA_FILE" <<EOF
+{
+  "version": "${VERSION}",
+  "deployment_method": "rpm",
+  "install_time": "${INSTALL_TIME}",
+  "metadata": {
+    "package": "veraison-services",
+    "architecture": "${ARCH}"
+  }
+}
+EOF
+
+chmod 644 "$METADATA_FILE"
+
 %preun
 %{_bindir}/veraison -s stop-services
 %{_bindir}/veraison -s disable-services