Skip to content

Commit

Permalink
feat: separate nitro and sigstore checks
Browse files Browse the repository at this point in the history
  • Loading branch information
natesales committed Nov 19, 2024
1 parent 528f667 commit 3e6226f
Showing 1 changed file with 41 additions and 32 deletions.
73 changes: 41 additions & 32 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package main
import (
_ "embed"
"encoding/json"
"flag"
"fmt"
"io"
"net/http"
Expand All @@ -12,10 +13,14 @@ import (
"github.com/tinfoilanalytics/verifier/pkg/sigstore"
)

const repo = "tinfoilanalytics/nitro-enclave-pipeline-test"
var (
attestationDoc = flag.String("attestation-doc", "", "Path to the attestation document")
digest = flag.String("digest", "", "Artifact digest")
repo = flag.String("repo", "", "Attested repo (e.g. tinfoilanalytics/nitro-pipeline-test)")
)

func gitHubAttestation(digest string) ([]byte, error) {
bundleResponse, err := http.Get("https://api.github.com/repos/" + repo + "/attestations/sha256:" + digest)
bundleResponse, err := http.Get("https://api.github.com/repos/" + *repo + "/attestations/sha256:" + digest)
if err != nil {
return nil, err
}
Expand All @@ -33,41 +38,45 @@ func gitHubAttestation(digest string) ([]byte, error) {
}

func main() {
digest := "8c168b97025c49a7f34c0da01b22200e4dc3b1f858e76fc4555967eb28722b11"
flag.Parse()

bundleBytes, err := gitHubAttestation(digest)
if err != nil {
panic(err)
}
if *digest != "" {
bundleBytes, err := gitHubAttestation(*digest)
if err != nil {
panic(err)
}

sigstoreResponse, err := http.Get("https://tuf-repo-cdn.sigstore.dev/targets/4364d7724c04cc912ce2a6c45ed2610e8d8d1c4dc857fb500292738d4d9c8d2c.trusted_root.json")
if err != nil {
panic(err)
}
sigstoreRootBytes, err := io.ReadAll(sigstoreResponse.Body)
if err != nil {
panic(err)
}
sigstoreResponse, err := http.Get("https://tuf-repo-cdn.sigstore.dev/targets/4364d7724c04cc912ce2a6c45ed2610e8d8d1c4dc857fb500292738d4d9c8d2c.trusted_root.json")
if err != nil {
panic(err)
}
sigstoreRootBytes, err := io.ReadAll(sigstoreResponse.Body)
if err != nil {
panic(err)
}

sigstoreMeasurements, err := sigstore.VerifyAttestedMeasurements(
sigstoreRootBytes,
bundleBytes,
digest,
)
if err != nil {
panic(err)
sigstoreMeasurements, err := sigstore.VerifyAttestedMeasurements(
sigstoreRootBytes,
bundleBytes,
*digest,
)
if err != nil {
panic(err)
}
fmt.Println("Sigstore", sigstoreMeasurements)
}
fmt.Println("Sigstore", sigstoreMeasurements)

attDocBytes, err := os.ReadFile("att_doc.bin")
if err != nil {
panic(err)
}
nitroMeasurements, err := nitro.VerifyAttestation(attDocBytes)
if err != nil {
panic(err)
if *attestationDoc != "" {
attDocBytes, err := os.ReadFile(*attestationDoc)
if err != nil {
panic(err)
}
nitroMeasurements, err := nitro.VerifyAttestation(attDocBytes)
if err != nil {
panic(err)
}
fmt.Println("Nitro", nitroMeasurements)
}
fmt.Println("Nitro", nitroMeasurements)

fmt.Println("Match?", sigstoreMeasurements.Equals(nitroMeasurements))
//fmt.Println("Match?", sigstoreMeasurements.Equals(nitroMeasurements))
}

0 comments on commit 3e6226f

Please sign in to comment.