BBonis Systems
Supply-chain attestation

Container provenance

Every deploy anchors the image digest, git commit, Dockerfile SHA, and lockfile SHA as a Knox CoreEvent. Events are Merkle-checkpointed hourly and the checkpoint root is Bitcoin-anchored. A third party can reproduce each step independently.

Latest deployed image

Image digest
sha256:d820ac94942dad3726e0e6c29f2079d01c33c787ac71290fbbef4608257b2fc5
Image tag
us-central1-docker.pkg.dev/eighth-edge-491502-s8/terravault/terravault:20260607-220816
Cloud Run revision
terravault-00587-jb7
Git commit
f96c6a89128d483baf874922933a255dadfee0d1
Dockerfile SHA-256
d200a5e0a0fc096c1f406a0e
Lockfile SHA-256
2c186f6b218a8ab128dfece4
Built at
2026-06-08T03:26:28Z
Builder
[email protected]

Knox anchor

CoreEvent ID
cmq4nfwud00019mxlb40o7ox9
Event hash
ff3273e4715fa4c0caa2264e048b3f31a73c8fd815e26dfb5ee1ebf12071a667
Previous hash
(none)
Sequence (per aggregate)
0
Global sequence
18575
Anchored at
2026-06-08T03:26:29.123Z

Bitcoin checkpoint

Checkpoint ID
cmq4nkgyl00089mxlai0xxok8
Range (global seq)
1857318575
Merkle root
2c0c55a173956d87610b9cc7507af24ed65a56a32779718ae08efebd598533fb
Bitcoin anchor
cb3bc2122613b53cc912a6479c15db7235e217f847fc2001d7b913293abd0baa
Checkpointed at
2026-06-08T03:30:01.821Z

How to verify independently

Step 1 — image digest matches what is running

gcloud run revisions describe terravault-00587-jb7 --region=us-central1 --format='value(spec.containers[0].image)' returns an image reference. docker pull it and compare docker inspect --format='{{.Id}}' to sha256:d820ac94942d.

Step 2 — event hash is reproducible

GET /api/core/events/verify?aggregateType=build&aggregateId=d820ac94942d — the verifier recomputes SHA-256 over the canonical payload + previous hash + sequence. A match returns { valid: true }; any tamper returns { valid: false } with a diff.

Step 3 — checkpoint Merkle root covers the event

GET /api/core/events/replay?fromGlobalSeq=18573&toGlobalSeq=18575 — reconstruct the Merkle root from the replayed event-hash leaves and compare against the checkpoint root above. The checkpoint root is then submitted to OpenTimestamps for Bitcoin anchoring at :30 every hour.

What this attestation is (and is not)

  • This is a self-anchored provenance record — the deploy script captures the image digest + source fingerprint, emits a CoreEvent, and relies on the hourly Merkle checkpoint + OpenTimestamps to produce a Bitcoin-level commitment.
  • It is structurally analogous to cosign + Sigstore Rekor, using Knox CoreEvent as the transparency log and the Bitcoin blockchain as the immutable anchor in place of Rekor's append-only log.
  • It is not a SLSA Level 3+ build-platform attestation — the current build runs on Google Cloud Build, and there is no third-party-signed SLSA provenance document yet.
  • It is not cosign-signed — cosign keyless signing via GCP OIDC is a planned addition and will be co-anchored alongside the existing CoreEvent record.
  • Pre-checkpoint events (recorded between the hourly :30 runs) are hash-chained and tamper-evident via the CoreEvent hash chain, but the Bitcoin anchor lands only after the next checkpoint.

Raw JSON

/api/knox/attestation/container returns the current attestation as JSON. /api/core/build/list?limit=20 returns the twenty most recent deploys.