ensuring link and slsa attestation exporting is optional

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

attestation/link/link.go

@@ -26,6 +26,7 @@ import (
 	"github.com/in-toto/go-witness/attestation/material"
 	"github.com/in-toto/go-witness/attestation/product"
 	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/registry"
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
@@ -47,6 +48,19 @@ var (
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType,
 		func() attestation.Attestor { return New() },
+		registry.BoolConfigOption(
+			"export",
+			"Export the Link predicate in its own attestation",
+			defaultExport,
+			func(a attestation.Attestor, export bool) (attestation.Attestor, error) {
+				linkAttestor, ok := a.(*Link)
+				if !ok {
+					return a, fmt.Errorf("unexpected attestor type: %T is not a Link provenance attestor", a)
+				}
+				WithExport(export)(linkAttestor)
+				return linkAttestor, nil
+			},
+		),
 	)
 }
 
@@ -81,7 +95,7 @@ func (l *Link) RunType() attestation.RunType {
 }
 
 func (l *Link) Export() bool {
-	return true
+	return l.export
 }
 
 func (l *Link) Attest(ctx *attestation.AttestationContext) error {

attestation/slsa/slsa.go

@@ -61,7 +61,7 @@ func init() {
 		func() attestation.Attestor { return New() },
 		registry.BoolConfigOption(
 			"export",
-			"Export the SLSA provenance attestation to its own file",
+			"Export the SLSA provenance predicate in its own attestation",
 			defaultExport,
 			func(a attestation.Attestor, export bool) (attestation.Attestor, error) {
 				slsaAttestor, ok := a.(*Provenance)
@@ -107,7 +107,7 @@ func (p *Provenance) RunType() attestation.RunType {
 }
 
 func (p *Provenance) Export() bool {
-	return true
+	return p.export
 }
 
 func (p *Provenance) Attest(ctx *attestation.AttestationContext) error {

run.go

@@ -26,6 +26,7 @@ import (
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/dsse"
 	"github.com/in-toto/go-witness/intoto"
+	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/go-witness/timestamp"
 )
 
@@ -106,7 +107,11 @@ func run(stepName string, signer cryptoutil.Signer, opts []RunOption) ([]RunResu
 		if r.Error != nil {
 			errs = append(errs, r.Error)
 		} else {
-			if _, ok := r.Attestor.(attestation.Exporter); ok {
+			if exporter, ok := r.Attestor.(attestation.Exporter); ok {
+				if !exporter.Export() {
+					log.Debugf("%s attestor not configured to be exported as its own attestation", r.Attestor.Name())
+					continue
+				}
 				if subjecter, ok := r.Attestor.(attestation.Subjecter); ok {
 					envelope, err := createAndSignEnvelope(r.Attestor, r.Attestor.Type(), subjecter.Subjects(), dsse.SignWithSigners(ro.signer), dsse.SignWithTimestampers(ro.timestampers...))
 					if err != nil {