Struct DependencySignatureEvidence 

pub struct DependencySignatureEvidence {
    pub name: String,
    pub version: String,
    pub registry: Option<String>,
    pub verification: VerificationOutcome,
    pub signature_mechanism: Option<String>,
    pub signer_identity: Option<String>,
    pub source_repo: Option<String>,
    pub source_commit: Option<String>,
    pub pinned_digest: Option<String>,
    pub actual_digest: Option<String>,
    pub transparency_log_uri: Option<String>,
    pub is_direct: bool,
}

Provenance and signature verification evidence for a single dependency.

Supports multiple verification mechanisms including:

• npm provenance: Sigstore-signed SLSA provenance via npm audit signatures
• Sigstore/cosign: General Sigstore verification with Rekor transparency log
• PGP signatures: Traditional GPG/PGP package signatures
• Checksum pinning: Lock-file checksum verification (e.g. Cargo.lock, package-lock.json)

The verification field uses VerificationOutcome for structured failure reasons, matching the pattern used by ArtifactAttestation.

Fields

name: String

Package name (e.g. “serde”, “lodash”).

version: String

Package version (e.g. “1.0.204”, “4.17.21”).

registry: Option<String>

Registry origin (e.g. “crates.io”, “registry.npmjs.org”).

verification: VerificationOutcome

Structured verification outcome, reusing VerificationOutcome for consistency with ArtifactAttestation. Verified = signature valid, otherwise structured failure.

signature_mechanism: Option<String>

Signing mechanism (e.g. “sigstore”, “pgp”, “checksum”).

signer_identity: Option<String>

Signer identity: OIDC issuer URI, public key fingerprint, or email. For npm provenance this is the GitHub Actions OIDC token subject.

source_repo: Option<String>

Source repository that built the package (from SLSA provenance predicate).

source_commit: Option<String>

Source commit SHA at which the package was built.

pinned_digest: Option<String>

Expected artifact digest from lock file (e.g. “sha512:…” from Cargo.lock/package-lock.json). Populated by lock-file parsers. Compare with actual_digest to detect artifact replacement.

actual_digest: Option<String>

Actual artifact digest computed from downloaded artifact at install/build time. Populated by build-time adapters (not lock-file parsers). When both pinned_digest and actual_digest are present, has_digest_mismatch() in the control detects registry-side artifact replacement attacks.

transparency_log_uri: Option<String>

Transparency log entry URL (e.g. Rekor log index for Sigstore).

is_direct: bool

Whether this is a direct dependency (true) or transitive (false). Transitive dependencies are more susceptible to typosquatting attacks.

Implementations

impl DependencySignatureEvidence

pub fn registry_provenance_capability(&self) -> RegistryProvenanceCapability

Returns the provenance capability level of this dependency’s registry.

This determines whether higher-level controls (L2 provenance, L3 signer verification) are meaningful for this dependency. Dependencies from registries that lack the required infrastructure are excluded from evaluation rather than producing false positives.

Trait Implementations

impl Clone for DependencySignatureEvidence

fn clone(&self) -> DependencySignatureEvidence

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for DependencySignatureEvidence

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for DependencySignatureEvidence

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl PartialEq for DependencySignatureEvidence

fn eq(&self, other: &DependencySignatureEvidence) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for DependencySignatureEvidence

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl Eq for DependencySignatureEvidence

impl StructuralPartialEq for DependencySignatureEvidence