feat: publish Docker referrers and Cosign attestations for SBOM and provenance

Author: fontebasso

.github/workflows/release.yml

@@ -125,3 +125,106 @@ jobs:
           COSIGN_EXPERIMENTAL: "1"
         run: |
           cosign sign --yes docker.io/fontebasso/php-nginx@${{ steps.push.outputs.digest }}
+
+  generate-sbom:
+    name: Generate SBOM
+    needs: merge-multiarch
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Syft
+        uses: anchore/sbom-action@v0
+        with:
+          image: fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }}
+          format: spdx-json
+          output-file: sbom.spdx.json
+          registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
+          registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom.spdx.json
+          path: sbom.spdx.json
+
+  attest-sbom:
+    name: Attest SBOM
+    needs: [merge-multiarch, generate-sbom]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Download SBOM artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: sbom.spdx.json
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Attest SBOM with Cosign (OIDC keyless)
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: |
+          cosign attest --yes \
+            --predicate sbom.spdx.json \
+            --type https://spdx.dev/Document \
+            docker.io/fontebasso/php-nginx:${{ needs.merge-multiarch.outputs.digest }}
+
+  generate-provenance:
+    name: Generate SLSA Provenance
+    needs: merge-multiarch
+    if: startsWith(github.ref, 'refs/tags/')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: docker.io/fontebasso/php-nginx
+      digest: ${{ needs.merge-multiarch.outputs.digest }}
+    secrets:
+      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
+      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+      actions: read
+
+  release:
+    needs: [attest-sbom, generate-provenance]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download SBOM artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: sbom.spdx.json
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Download Provenance attestation
+        run: |
+          cosign download attestation \
+            docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }} \
+            --output-file provenance.intoto.jsonl
+
+      - name: Generate checksum.txt
+        run: |
+          sha256sum sbom.spdx.json provenance.intoto.jsonl > checksum.txt
+
+      - name: Sign checksum.txt with Cosign (OIDC keyless)
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: |
+          cosign sign-blob --yes --output-signature checksum.txt.sig checksum.txt
+
+      - name: Upload Provenance, SBOM, and Checksum (signed) to Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            sbom.spdx.json
+            provenance.intoto.jsonl
+            checksum.txt
+            checksum.txt.sig
+        continue-on-error: false

Dockerfile

@@ -142,12 +142,12 @@ RUN set -eux; \
   ln -s /opt/php/bin/phpize /usr/bin/phpize; \
   ln -s /opt/php/bin/php-config /usr/bin/php-config; \
   mkdir -p /opt/php/etc/php/conf.d; \
-  printf "\n" | /opt/php/bin/pecl install grpc; \
-  echo "extension=grpc.so" > /opt/php/etc/php/conf.d/php-02-grpc.ini; \
-  rm -rf /opt/php/bin/pecl /opt/php/bin/pear /opt/php/bin/peardev /opt/php/bin/peclcmd.php /opt/php/bin/pearcmd.php /opt/php/bin/phar /opt/php/bin/phar.phar; \
-  find /opt/php -type f -name "peclcmd.php" -delete; \
-  find /opt/php -type f -name "pearcmd.php" -delete; \
-  find /opt/php -type d -name "pear" -exec rm -rf {} +; \
+  #printf "\n" | /opt/php/bin/pecl install grpc; \
+  #echo "extension=grpc.so" > /opt/php/etc/php/conf.d/php-02-grpc.ini; \
+  #rm -rf /opt/php/bin/pecl /opt/php/bin/pear /opt/php/bin/peardev /opt/php/bin/peclcmd.php /opt/php/bin/pearcmd.php /opt/php/bin/phar /opt/php/bin/phar.phar; \
+  #find /opt/php -type f -name "peclcmd.php" -delete; \
+  #find /opt/php -type f -name "pearcmd.php" -delete; \
+  #find /opt/php -type d -name "pear" -exec rm -rf {} +; \
   apk del .build-php-deps; \
   rm -rf /tmp/php*
 

provenance.intoto.jsonl

@@ -0,0 +1 @@
+{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJpbmRleC5kb2NrZXIuaW8vZm9udGViYXNzby9waHAtbmdpbngiLCJkaWdlc3QiOnsic2hhMjU2IjoiMTcyYjQwOTllZmU1MTMzYWE0NWNlODc1ODcxMzY2MTAwNmM0MTkyYzkwMzRhMzQzMjY3ZWU0ZWQ2NTIxYWM3OSJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci8uZ2l0aHViL3dvcmtmbG93cy9nZW5lcmF0b3JfY29udGFpbmVyX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjIuMS4wIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvY29udGFpbmVyQHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbnhAcmVmcy90YWdzLzcuMC4wIiwiZGlnZXN0Ijp7InNoYTEiOiJhMzkxM2UzYmZmOWUxOWZkMjc0ZGQ3NWRiNGQ0YjY2NjJmNmE5MzYzIn0sImVudHJ5UG9pbnQiOiIuZ2l0aHViL3dvcmtmbG93cy9kb2NrZXItaW1hZ2UtcmVsZWFzZS55bWwifSwiZW52aXJvbm1lbnQiOnsiZ2l0aHViX2FjdG9yIjoiZm9udGViYXNzbyIsImdpdGh1Yl9hY3Rvcl9pZCI6IjM2NDMwOTYiLCJnaXRodWJfYmFzZV9yZWYiOiIiLCJnaXRodWJfZXZlbnRfbmFtZSI6InJlbGVhc2UiLCJnaXRodWJfZXZlbnRfcGF5bG9hZCI6eyJhY3Rpb24iOiJwdWJsaXNoZWQiLCJyZWxlYXNlIjp7ImFzc2V0cyI6W10sImFzc2V0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9yZWxlYXNlcy8yMTQwODcyMjYvYXNzZXRzIiwiYXV0aG9yIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvMzY0MzA5Nj92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9mb250ZWJhc3NvL2V2ZW50c3svcHJpdmFjeX0iLCJmb2xsb3dlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9mb250ZWJhc3NvL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2ZvbnRlYmFzc28vZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZm9udGViYXNzby9naXN0c3svZ2lzdF9pZH0iLCJncmF2YXRhcl9pZCI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2ZvbnRlYmFzc28iLCJpZCI6MzY0MzA5NiwibG9naW4iOiJmb250ZWJhc3NvIiwibm9kZV9pZCI6Ik1EUTZWWE5sY2pNMk5ETXdPVFk9Iiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2ZvbnRlYmFzc28vb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2ZvbnRlYmFzc28vcmVjZWl2ZWRfZXZlbnRzIiwicmVwb3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9mb250ZWJhc3NvL3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9mb250ZWJhc3NvL3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZm9udGViYXNzby9zdWJzY3JpcHRpb25zIiwidHlwZSI6IlVzZXIiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2ZvbnRlYmFzc28iLCJ1c2VyX3ZpZXdfdHlwZSI6InB1YmxpYyJ9LCJib2R5IjoiIyMg4p2MIEJyZWFraW5nIENoYW5nZXNcclxuXHJcbi0gKipOZ2lueCBhY2Nlc3MgbG9ncyBhcmUgbm8gbG9uZ2VyIHNlbnQgdG8gc3Rkb3V0KiosIGltcHJvdmluZyBjb250YWluZXIgY2xlYW5saW5lc3MuIElmIHlvdSByZWxpZWQgb24gYWNjZXNzIGxvZ3MgaW4geW91ciBvcmNoZXN0cmF0b3IsIHBsZWFzZSBhZGFwdCBhY2NvcmRpbmdseS5cclxuLSAqKlRoZSBtdWx0aS1hcmNoIGJ1aWxkIHByb2Nlc3Mgbm93IHVzZXMgR2l0SHViIEFjdGlvbnMgbWF0cml4IHN0cmF0ZWd5KiosIHByb2R1Y2luZyBzZXBhcmF0ZSBhcmNoaXRlY3R1cmUgaW1hZ2VzIGluIHBhcmFsbGVsIGFuZCBtZXJnaW5nIHRoZW0gdmlhIGBidWlsZHggaW1hZ2V0b29sc2AuXHJcbi0gKipUaGUgZmluYWwgaW1hZ2UgaXMgY3J5cHRvZ3JhcGhpY2FsbHkgc2lnbmVkKiogdXNpbmcgW1NpZ3N0b3JlXShodHRwczovL3d3dy5zaWdzdG9yZS5kZXYpIHZpYSBHaXRIdWIgT0lEQyDigJQgbm8ga2V5cyBvciBzZWNyZXRzIHJlcXVpcmVkLlxyXG5cclxuIyMg4pyFIEhpZ2hsaWdodHNcclxuXHJcbi0gKipQYXJhbGxlbCBtdWx0aS1hcmNoIGJ1aWxkcyoqIHdpdGggbmF0aXZlIGB1YnVudHUtMjQuMDRgIGFuZCBgdWJ1bnR1LTI0LjA0LWFybWAgcnVubmVyc1xyXG4tICoqQ29zaWduIHNpZ25pbmcgKyBwcm92ZW5hbmNlIGF0dGVzdGF0aW9uKiogKFNMU0EgZm9ybWF0KVxyXG4tICoqUHVibGljIHZlcmlmaWFiaWxpdHkqKiB2aWEgW1Jla29yIFRyYW5zcGFyZW5jeSBMb2ddKGh0dHBzOi8vcmVrb3Iuc2lnc3RvcmUuZGV2KVxyXG4tICoqVXBkYXRlZCBkb2N1bWVudGF0aW9uKiogaW5jbHVkaW5nIFJFQURNRSwgYmFkZ2VzLCBhbmQgdmVyaWZpY2F0aW9uIGluc3RydWN0aW9ucyIsImNyZWF0ZWRfYXQiOiIyMDI1LTA0LTIzVDAyOjE2OjM4WiIsImRyYWZ0IjpmYWxzZSwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L3JlbGVhc2VzL3RhZy83LjAuMCIsImlkIjoyMTQwODcyMjYsIm5hbWUiOiI3LjAuMCIsIm5vZGVfaWQiOiJSRV9rd0RPRnhGTGw4NE13clk2IiwicHJlcmVsZWFzZSI6ZmFsc2UsInB1Ymxpc2hlZF9hdCI6IjIwMjUtMDQtMjNUMDI6MTg6MjRaIiwidGFnX25hbWUiOiI3LjAuMCIsInRhcmJhbGxfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvdGFyYmFsbC83LjAuMCIsInRhcmdldF9jb21taXRpc2giOiJtYWluIiwidXBsb2FkX3VybCI6Imh0dHBzOi8vdXBsb2Fkcy5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9yZWxlYXNlcy8yMTQwODcyMjYvYXNzZXRzez9uYW1lLGxhYmVsfSIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L3JlbGVhc2VzLzIxNDA4NzIyNiIsInppcGJhbGxfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvemlwYmFsbC83LjAuMCJ9LCJyZXBvc2l0b3J5Ijp7ImFsbG93X2ZvcmtpbmciOnRydWUsImFyY2hpdmVfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngve2FyY2hpdmVfZm9ybWF0fXsvcmVmfSIsImFyY2hpdmVkIjpmYWxzZSwiYXNzaWduZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L2Fzc2lnbmVlc3svdXNlcn0iLCJibG9ic191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9naXQvYmxvYnN7L3NoYX0iLCJicmFuY2hlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9icmFuY2hlc3svYnJhbmNofSIsImNsb25lX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbnguZ2l0IiwiY29sbGFib3JhdG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9jb2xsYWJvcmF0b3Jzey9jb2xsYWJvcmF0b3J9IiwiY29tbWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvY29tbWVudHN7L251bWJlcn0iLCJjb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L2NvbW1pdHN7L3NoYX0iLCJjb21wYXJlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L2NvbXBhcmUve2Jhc2V9Li4ue2hlYWR9IiwiY29udGVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvY29udGVudHMveytwYXRofSIsImNvbnRyaWJ1dG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9jb250cmlidXRvcnMiLCJjcmVhdGVkX2F0IjoiMjAyMS0wNy0xN1QxODoxMzoxNloiLCJkZWZhdWx0X2JyYW5jaCI6Im1haW4iLCJkZXBsb3ltZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9kZXBsb3ltZW50cyIsImRlc2NyaXB0aW9uIjoiUm9idXN0IERvY2tlciBpbWFnZSBvZiBQSFAgd2l0aCBOZ2lueCwgYmFzZWQgb24gb2ZmaWNpYWwgc29mdHdhcmUgYW5kIHN1cHBvcnRpbmcgYW1kNjQgYW5kIGFybTY0LiIsImRpc2FibGVkIjpmYWxzZSwiZG93bmxvYWRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L2Rvd25sb2FkcyIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9ldmVudHMiLCJmb3JrIjpmYWxzZSwiZm9ya3MiOjQsImZvcmtzX2NvdW50Ijo0LCJmb3Jrc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9mb3JrcyIsImZ1bGxfbmFtZSI6ImZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueCIsImdpdF9jb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L2dpdC9jb21taXRzey9zaGF9IiwiZ2l0X3JlZnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvZ2l0L3JlZnN7L3NoYX0iLCJnaXRfdGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9naXQvdGFnc3svc2hhfSIsImdpdF91cmwiOiJnaXQ6Ly9naXRodWIuY29tL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC5naXQiLCJoYXNfZGlzY3Vzc2lvbnMiOnRydWUsImhhc19kb3dubG9hZHMiOnRydWUsImhhc19pc3N1ZXMiOnRydWUsImhhc19wYWdlcyI6ZmFsc2UsImhhc19wcm9qZWN0cyI6ZmFsc2UsImhhc193aWtpIjpmYWxzZSwiaG9tZXBhZ2UiOiJodHRwczovL2h1Yi5kb2NrZXIuY29tL3IvZm9udGViYXNzby9waHAtbmdpbngiLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9ob29rcyIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueCIsImlkIjozODcwMDk0MzEsImlzX3RlbXBsYXRlIjpmYWxzZSwiaXNzdWVfY29tbWVudF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9pc3N1ZXMvY29tbWVudHN7L251bWJlcn0iLCJpc3N1ZV9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvaXNzdWVzL2V2ZW50c3svbnVtYmVyfSIsImlzc3Vlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9pc3N1ZXN7L251bWJlcn0iLCJrZXlzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L2tleXN7L2tleV9pZH0iLCJsYWJlbHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvbGFiZWxzey9uYW1lfSIsImxhbmd1YWdlIjoiRG9ja2VyZmlsZSIsImxhbmd1YWdlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9sYW5ndWFnZXMiLCJsaWNlbnNlIjp7ImtleSI6Im1pdCIsIm5hbWUiOiJNSVQgTGljZW5zZSIsIm5vZGVfaWQiOiJNRGM2VEdsalpXNXpaVEV6Iiwic3BkeF9pZCI6Ik1JVCIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vbGljZW5zZXMvbWl0In0sIm1lcmdlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9tZXJnZXMiLCJtaWxlc3RvbmVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L21pbGVzdG9uZXN7L251bWJlcn0iLCJtaXJyb3JfdXJsIjpudWxsLCJuYW1lIjoiZG9ja2VyLXBocC1uZ2lueCIsIm5vZGVfaWQiOiJNREV3T2xKbGNHOXphWFJ2Y25rek9EY3dNRGswTXpFPSIsIm5vdGlmaWNhdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvbm90aWZpY2F0aW9uc3s/c2luY2UsYWxsLHBhcnRpY2lwYXRpbmd9Iiwib3Blbl9pc3N1ZXMiOjAsIm9wZW5faXNzdWVzX2NvdW50IjowLCJvd25lciI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91LzM2NDMwOTY/dj00IiwiZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZm9udGViYXNzby9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZm9udGViYXNzby9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9mb250ZWJhc3NvL2ZvbGxvd2luZ3svb3RoZXJfdXNlcn0iLCJnaXN0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2ZvbnRlYmFzc28vZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9mb250ZWJhc3NvIiwiaWQiOjM2NDMwOTYsImxvZ2luIjoiZm9udGViYXNzbyIsIm5vZGVfaWQiOiJNRFE2VlhObGNqTTJORE13T1RZPSIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9mb250ZWJhc3NvL29yZ3MiLCJyZWNlaXZlZF9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9mb250ZWJhc3NvL3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZm9udGViYXNzby9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZm9udGViYXNzby9zdGFycmVkey9vd25lcn17L3JlcG99Iiwic3Vic2NyaXB0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2ZvbnRlYmFzc28vc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9mb250ZWJhc3NvIiwidXNlcl92aWV3X3R5cGUiOiJwdWJsaWMifSwicHJpdmF0ZSI6ZmFsc2UsInB1bGxzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L3B1bGxzey9udW1iZXJ9IiwicHVzaGVkX2F0IjoiMjAyNS0wNC0yM1QwMjoxNzozNloiLCJyZWxlYXNlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9yZWxlYXNlc3svaWR9Iiwic2l6ZSI6MTg0LCJzc2hfdXJsIjoiZ2l0QGdpdGh1Yi5jb206Zm9udGViYXNzby9kb2NrZXItcGhwLW5naW54LmdpdCIsInN0YXJnYXplcnNfY291bnQiOjMsInN0YXJnYXplcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvc3RhcmdhemVycyIsInN0YXR1c2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L3N0YXR1c2VzL3tzaGF9Iiwic3Vic2NyaWJlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvc3Vic2NyaWJlcnMiLCJzdWJzY3JpcHRpb25fdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngvc3Vic2NyaXB0aW9uIiwic3ZuX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9mb250ZWJhc3NvL2RvY2tlci1waHAtbmdpbngiLCJ0YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54L3RhZ3MiLCJ0ZWFtc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC90ZWFtcyIsInRvcGljcyI6WyJkb2NrZXIiLCJkb2NrZXItaW1hZ2UiLCJuZ2lueCIsInBocCJdLCJ0cmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueC9naXQvdHJlZXN7L3NoYX0iLCJ1cGRhdGVkX2F0IjoiMjAyNS0wNC0yM1QwMjoxNjo0NVoiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2ZvbnRlYmFzc28vZG9ja2VyLXBocC1uZ2lueCIsInZpc2liaWxpdHkiOiJwdWJsaWMiLCJ3YXRjaGVycyI6Mywid2F0Y2hlcnNfY291bnQiOjMsIndlYl9jb21taXRfc2lnbm9mZl9yZXF1aXJlZCI6ZmFsc2V9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS8zNjQzMDk2P3Y9NCIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2ZvbnRlYmFzc28vZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2ZvbnRlYmFzc28vZm9sbG93ZXJzIiwiZm9sbG93aW5nX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZm9udGViYXNzby9mb2xsb3dpbmd7L290aGVyX3VzZXJ9IiwiZ2lzdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9mb250ZWJhc3NvL2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZm9udGViYXNzbyIsImlkIjozNjQzMDk2LCJsb2dpbiI6ImZvbnRlYmFzc28iLCJub2RlX2lkIjoiTURRNlZYTmxjak0yTkRNd09UWT0iLCJvcmdhbml6YXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZm9udGViYXNzby9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZm9udGViYXNzby9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2ZvbnRlYmFzc28vcmVwb3MiLCJzaXRlX2FkbWluIjpmYWxzZSwic3RhcnJlZF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2ZvbnRlYmFzc28vc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9mb250ZWJhc3NvL3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZm9udGViYXNzbyIsInVzZXJfdmlld190eXBlIjoicHVibGljIn19LCJnaXRodWJfaGVhZF9yZWYiOiIiLCJnaXRodWJfcmVmIjoicmVmcy90YWdzLzcuMC4wIiwiZ2l0aHViX3JlZl90eXBlIjoidGFnIiwiZ2l0aHViX3JlcG9zaXRvcnlfaWQiOiIzODcwMDk0MzEiLCJnaXRodWJfcmVwb3NpdG9yeV9vd25lciI6ImZvbnRlYmFzc28iLCJnaXRodWJfcmVwb3NpdG9yeV9vd25lcl9pZCI6IjM2NDMwOTYiLCJnaXRodWJfcnVuX2F0dGVtcHQiOiIxIiwiZ2l0aHViX3J1bl9pZCI6IjE0NjA4NTAzNTM5IiwiZ2l0aHViX3J1bl9udW1iZXIiOiIxMyIsImdpdGh1Yl9zaGExIjoiYTM5MTNlM2JmZjllMTlmZDI3NGRkNzVkYjRkNGI2NjYyZjZhOTM2MyJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiIxNDYwODUwMzUzOS0xIiwiY29tcGxldGVuZXNzIjp7InBhcmFtZXRlcnMiOnRydWUsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vZm9udGViYXNzby9kb2NrZXItcGhwLW5naW54QHJlZnMvdGFncy83LjAuMCIsImRpZ2VzdCI6eyJzaGExIjoiYTM5MTNlM2JmZjllMTlmZDI3NGRkNzVkYjRkNGI2NjYyZjZhOTM2MyJ9fV19fQ==","signatures":[{"keyid":"","sig":"MEUCIAc5QpH8RMCWPbcQqfzEW2ULeMNTgsegQGjRJPXA+Gm3AiEA9HVyjioa1Ro7bh1lDdYG8wWQ2ORrXkgvnNuzn567Z3o="}]}