chore: adr for build attestations (#76)

## Description Adds an ADR to describe the solution for storing in-toto attestations. ## Related Issue Fixes #56 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-software-factory/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
defenseunicorns · Jul 9, 2024 · 8891e9f · 8891e9f
1 parent 38ef2a7
commit 8891e9f
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/adr/0002-store-attestations-in-archivista.md b/adr/0002-store-attestations-in-archivista.md
@@ -0,0 +1,29 @@
+# 1. Store In-Toto Attestations in Archivista
+
+Date: 2024-07-09
+
+## Status
+
+Accepted
+
+## Context
+
+During execution of Software Factory pipelines, we will be generating [in-toto attestations](https://github.com/in-toto/attestation) using [Witness](https://github.com/in-toto/witness) for the artifacts that are produced. We need a location to store these attestations so that they can later be retrieved and used to verify an artifact against policies.
+
+## Decision
+
+We will use [Archivista](https://github.com/in-toto/archivista) to store the attestations. Archivista is also an in-toto project and integrates easily with Witness to store, retrieve, and verify attestations. 
+
+In addition, Archivista maintains a graph of metadata for the attestations, allowing attestations to be associated to all build artifacts. All that is needed to run a verification is an artifact and the Witness CLI, and the other data will be automatically retrieved from Archivista.
+
+Policies can also be stored in Archivista, though this feature set isn't as mature yet.
+
+## Alternatives considered
+
+We could configure Witness to produce json files to the filesystem and store the files in a file storage solution ourselves. However, we would have to maintain an association between all the build artifacts and the correct files, and be able to retrieve the correct attestation file for the correct artifact at verification time. Archivista handles this for us and is lightweight and already in the in-toto family of tools.
+
+## Consequences
+
+We will need to create and maintain a new UDS package for Archivista: [uds-package-archivista](https://github.com/defenseunicorns/uds-package-archivista).
+
+Archivista stores the attestations in an S3 compatible blob storage and the metadata in an RDBMS (MySQL or Postgres). We will need to test backup and restore mechanisms for both of these.