Skip to content

transmute-industries/transmute

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Aug 27, 2024
79d0191 · Aug 27, 2024
Aug 27, 2024
Jul 2, 2023
Aug 27, 2024
Aug 13, 2024
Aug 16, 2024
Aug 27, 2024
Aug 27, 2024
Jun 10, 2023
Oct 16, 2023
Aug 12, 2024
Jun 10, 2023
Aug 13, 2024
Aug 16, 2024
Aug 16, 2024
Jun 11, 2023
Aug 27, 2024
Aug 27, 2024
Aug 16, 2024
Oct 25, 2023

Repository files navigation

CI NPM

Usage

GitHub Action

name: CI
on: [push]
jobs:
  scitt:
    runs-on: ubuntu-latest
    steps:
      - name: Issue Statement
        id: issue_statement
        uses: transmute-industries/transmute@main
        with:
          transmute: |
            scitt issue-statement ./tests/fixtures/private.sig.key.cbor \
            ./tests/fixtures/message.json \
            --output ./tests/fixtures/message.hash-envelope.cbor
      - name: Verify Statement Hash
        id: verify_message
        uses: transmute-industries/transmute@main
        with:
          transmute: |
            scitt verify-statement-hash ./tests/fixtures/public.sig.key.cbor \
            ./tests/fixtures/message.hash-envelope.cbor \
            3073d614f853aaec9a1146872c7bab75495ee678c8864ed3562f8787555c1e22
      - name: Issue Receipt
        id: issue_receipt
        uses: transmute-industries/transmute@main
        with:
          transmute: |
            scitt issue-receipt ./tests/fixtures/private.notary.key.cbor \
            ./tests/fixtures/message.hash-envelope.cbor \
            --log ./tests/fixtures/trans.json
      - name: Verify Receipt Hash
        id: verify_receipt
        uses: transmute-industries/transmute@main
        with:
          transmute: |
            scitt verify-receipt-hash ./tests/fixtures/public.notary.key.cbor \
            ./tests/fixtures/message.hash-envelope-with-receipt.cbor \
            3073d614f853aaec9a1146872c7bab75495ee678c8864ed3562f8787555c1e22

See CI for more examples.

Nodejs CLI

Install as global binary:

npm i -g @transmute/cli@latest

Getting Started

echo '"@context":
  - https://www.w3.org/ns/credentials/v2
  - https://www.w3.org/ns/credentials/examples/v2
type:
  - VerifiableCredential
  - MyPrototypeCredential
credentialSubject:
  !sd mySubjectProperty: mySubjectValue
' > ./tests/fixtures/issuer-disclosable-claims.yaml

echo '"@context":
  - https://www.w3.org/ns/credentials/v2
  - https://www.w3.org/ns/credentials/examples/v2
type:
  - VerifiableCredential
  - MyPrototypeCredential
credentialSubject:
  mySubjectProperty: mySubjectValue
' > ./tests/fixtures/holder-disclosed-claims.yaml

transmute jose keygen --alg ES256 \
--output ./tests/fixtures/private.sig.jwk.json

transmute vcwg issue-credential ./tests/fixtures/private.sig.jwk.json \
 ./tests/fixtures/issuer-disclosable-claims.yaml \
--credential-type application/vc-ld+sd-jwt \
--output ./tests/fixtures/issuer-disclosable-claims.sd-jwt

See scripts for more examples.

graph after ci runs

TODO: all command examples

Use Cases

Software Supply Chain

In Search of Transparency

Product Integrity
sbom-tool generate -b ./dist -bc ./ -pn transmute -ps transmute.industries \
-pv `jq -r .version package.json` -nsu `git rev-parse --verify HEAD`

transmute scitt issue-statement ./tests/fixtures/private.notary.key.cbor \
./dist/_manifest/spdx_2.2/manifest.spdx.json \
--iss https://software.vendor.example \
--sub `jq -r .documentNamespace ./dist/_manifest/spdx_2.2/manifest.spdx.json` \
--content-type application/spdx+json \
--location https://github.com/.../dist/_manifest/spdx_2.2/manifest.spdx.json \
--output ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor

transmute scitt issue-receipt ./tests/fixtures/private.notary.key.cbor \
./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \
--iss https://software.notary.example \
--sub `jq -r .documentNamespace ./dist/_manifest/spdx_2.2/manifest.spdx.json` \
--log ./tests/fixtures/trans.json \
--output ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor

transmute scitt verify-receipt-hash ./tests/fixtures/public.notary.key.cbor \
./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \
`cat ./dist/_manifest/spdx_2.2/manifest.spdx.json.sha256`

command line image of build script execution

Compliance Automation
name: CI
on: [push]
jobs:
  scitt:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Push Transparency
        uses: transmute-industries/transmute@main
        with:
          neo4j-uri: ${{ secrets.NEO4J_URI }}
          neo4j-user: ${{ secrets.NEO4J_USERNAME }}
          neo4j-password: ${{ secrets.NEO4J_PASSWORD }}
          transmute: |
            graph assist ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \
              --credential-type application/cose \
              --graph-type application/gql \
              --push

graph query results