fix: improve documentation

ppkarwasz · ppkarwasz · commit d64965bf3942 · 2026-04-20T15:16:25.000+02:00
diff --git a/src/site/markdown/slsa/v0.1.0.md b/src/site/markdown/slsa/v0.1.0.md
@@ -6,8 +6,32 @@
 "buildType": "https://commons.apache.org/proper/commons-release-plugin/slsa/v0.1.0"
 ```
 
-This is a [SLSA Build Provenance](https://slsa.dev/spec/v1.2/build-provenance) build type
-that describes releases produced by Apache Commons PMC release managers running Maven on their own equipment.
+This document defines a [SLSA v1.2 Build Provenance](https://slsa.dev/spec/v1.2/build-provenance) **build type** for
+releases of Apache Commons components.
+
+Apache Commons releases are cut on a PMC release manager's workstation by invoking Maven against a checkout of the
+project's Git repository. The `commons-release-plugin` captures the build inputs and emits the result as an in-toto
+attestation covering every artifact attached to the project.
+
+Because the build runs on the release manager's own hardware rather than on a hosted build service, the provenance
+corresponds to [SLSA Build Level 1](https://slsa.dev/spec/v1.2/levels): it is generated by the same process that
+produces the artifacts and is signed with the release manager's OpenPGP key, but the build platform itself is not
+separately attested.
+
+The OpenPGP keys used to sign past and present artifacts are available at: https://downloads.apache.org/commons/KEYS
+
+Attestations are published to Maven Central under the released artifact's coordinates, distinguished by an
+`intoto.jsonl` type:
+
+```xml
+
+<dependency>
+  <groupId>org.apache.commons</groupId>
+  <artifactId>${artifactId}</artifactId>
+  <type>intoto.jsonl</type>
+  <version>${version}</version>
+</dependency>
+```
 
 ## Build definition
 
@@ -84,7 +108,7 @@ They are only present if the resource is accessible from Maven's Core Classloade
 |-------------------------|--------------------------------------------------------------|
 | `distributionId`        | The ID of the Maven distribution.                            |
 | `distributionName`      | The full name of the Maven distribution.                     |
-| `distributionShortName` | The short name of the Mavendistribution.                     |
+| `distributionShortName` | The short name of the Maven distribution.                    |
 | `buildNumber`           | The Git commit hash from which this Maven release was built. |
 | `version`               | The Maven version string.                                    |
 
@@ -115,14 +139,123 @@ It represents the commons-release-plugin acting as the build platform.
 
 ## Subjects
 
-The attestation covers all artifacts attached to the Maven project at the time the `verify` phase runs:
-the primary artifact (e.g. the JAR) and any attached artifacts (e.g. sources JAR, javadoc JAR, POM).
-
-| Field           | Value                                    |
-|-----------------|------------------------------------------|
-| `name`          | Artifact filename.                       |
-| `uri`           | Package URL.                             |
-| `digest.sha256` | SHA-256 hex digest of the artifact file. |
+The [`subject`](https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md#fields) array
+lists every artifact produces by the build. It has the following properties
+
+| Field    | Value                                                                                                                               |
+|----------|-------------------------------------------------------------------------------------------------------------------------------------|
+| `name`   | Artifact filename in the default Maven repository layout, e.g. `commons-text-1.4-sources.jar`.                                      |
+| `uri`    | [Package URL](https://github.com/package-url/purl-spec) identifying the artifact in the `maven` namespace.                          |
+| `digest` | Map of [in-toto digest names](https://github.com/in-toto/attestation/blob/main/spec/v1/digest_set.md) to hex-encoded digest values. |
+
+By default, every subject carries `md5`, `sha1`, `sha256` and `sha512` digests.
+
+## Example
+
+The following is the bare attestation statement produced for the `commons-text` 1.4 release
+(abridged: most subjects are elided, and the JDK annotations trimmed). The full fixture lives at
+[`src/test/resources/attestations/commons-text-1.4.intoto.json`](https://github.com/apache/commons-release-plugin/blob/main/src/test/resources/attestations/commons-text-1.4.intoto.json)
+in the plugin source tree.
+
+The statement shown below is wrapped in a [DSSE envelope](https://github.com/secure-systems-lab/dsse/blob/master/envelope.md)
+signed with the release manager's OpenPGP key, and the `.intoto.jsonl` file deployed to Maven Central
+contains that envelope.
+
+```json5
+{
+  "subject": [
+    {
+      "name": "commons-text-1.4.jar",
+      "uri": "pkg:maven/commons-text/commons-text@1.4?type=jar",
+      "digest": {
+        "md5": "9cbe22bb0ce86c70779213dfb7f3eb5a",
+        "sha1": "c81f089b3542485d4d09b02aae822906e5d2f209",
+        "sha256": "ad2d2eacf15ab740c115294afc1192603d8342004a6d7d0ad35446f7dda8a134",
+        "sha512": "126302c5f6865733774eb41fecc10ba8d0bb5ba11d14b9562047429abeb13bf8cdcdbfdf5e7d7708e2a40f67f4265cbbce609164f57abcd676067a840aa48e6a"
+      }
+    },
+    // … one entry per attached artifact (POM, sources, javadoc, tests, and distribution archives) …
+    {
+      "name": "commons-text-1.4-src.zip",
+      "uri": "pkg:maven/commons-text/commons-text@1.4?classifier=src&type=zip",
+      "digest": {
+        "md5": "fd65603e930f2b0805c809aa2deb1498",
+        "sha1": "ca1cc6fbb4e46b44f8bb09b70c9e3a2ae3c5fce8",
+        "sha256": "e4a6c992153faae4f7faff689b899073000364e376736b9746a5d0acb9d8b980",
+        "sha512": "79ca61ff7b287407428bbb6ae13c6d372dcd0665114c55cd5bc57978a6fa760305e32feabef62cfeb0c4181220a59406239f6cccaa9a25c68773eef0250cb3a9"
+      }
+    }
+  ],
+  "predicateType": "https://slsa.dev/provenance/v1",
+  "predicate": {
+    "buildDefinition": {
+      "buildType": "https://commons.apache.org/builds/0.1.0",
+      "externalParameters": {
+        "maven.goals": ["deploy"],
+        "maven.profiles": ["release"],
+        "maven.user.properties": {
+          "gpg.keyname": "3C8D57E0A2B5C6D7E8F9A0B1C2D3E4F5A6B7C8D9"
+        },
+        "maven.cmdline": "deploy -Prelease -Dgpg.keyname=3C8D57E0A2B5C6D7E8F9A0B1C2D3E4F5A6B7C8D9",
+        "jvm.args": [
+          "-Dfile.encoding=UTF-8",
+          "-Dsun.stdout.encoding=UTF-8",
+          "-Dsun.stderr.encoding=UTF-8"
+        ],
+        "env": {
+          "LANG": "pl_PL.UTF-8",
+          "TZ": "UTC"
+        }
+      },
+      "internalParameters": {},
+      "resolvedDependencies": [
+        // JDK that ran the build
+        {
+          "name": "JDK",
+          "digest": { "gitTree": "bdb67e47c1b7df9c35ae045f29a348bb5bd32dc3" },
+          "annotations": {
+            "vendor": "Eclipse Adoptium",
+            "vendor.version": "Temurin-25.0.2+10",
+            "version": "25.0.2",
+            "vm.name": "OpenJDK 64-Bit Server VM",
+            "vm.version": "25.0.2+10-LTS"
+            // … remaining java.* system properties elided …
+          }
+        },
+        // Maven installation
+        {
+          "name": "Maven",
+          "uri": "pkg:maven/org.apache.maven/apache-maven@3.9.12",
+          "digest": { "gitTree": "3cdb4a67690dc18373f70ead98dc86567cc5ad67" },
+          "annotations": {
+            "distributionId": "apache-maven",
+            "distributionName": "Apache Maven",
+            "distributionShortName": "Maven",
+            "buildNumber": "848fbb4bf2d427b72bdb2471c22fced7ebd9a7a1",
+            "version": "3.9.12"
+          }
+        },
+        // Source revision (branch or tag at release time)
+        {
+          "uri": "git+https://github.com/apache/commons-text.git@rel/commons-text-1.4",
+          "digest": { "gitCommit": "f519b3670795da3fb4f43b6af1f727eadf8e6800" }
+        }
+      ]
+    },
+    "runDetails": {
+      "builder": {
+        "id": "https://commons.apache.org/builds/0.1.0",
+        "builderDependencies": [],
+        "version": {}
+      },
+      "metadata": {
+        "startedOn": "2026-04-20T09:28:44Z",
+        "finishedOn": "2026-04-20T09:38:12Z"
+      }
+    }
+  }
+}
+```
 
 ## Version history
 
