From 3e6226f0a68b5ad091e0a69747d4c79278e8417e Mon Sep 17 00:00:00 2001
From: Nate Sales <nate@natesales.net>
Date: Tue, 19 Nov 2024 16:15:02 -0500
Subject: [PATCH] feat: separate nitro and sigstore checks

---
 cmd/main.go | 73 ++++++++++++++++++++++++++++++-----------------------
 1 file changed, 41 insertions(+), 32 deletions(-)

diff --git a/cmd/main.go b/cmd/main.go
index 8ddf593..7115bb7 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	_ "embed"
 	"encoding/json"
+	"flag"
 	"fmt"
 	"io"
 	"net/http"
@@ -12,10 +13,14 @@ import (
 	"github.com/tinfoilanalytics/verifier/pkg/sigstore"
 )
 
-const repo = "tinfoilanalytics/nitro-enclave-pipeline-test"
+var (
+	attestationDoc = flag.String("attestation-doc", "", "Path to the attestation document")
+	digest         = flag.String("digest", "", "Artifact digest")
+	repo           = flag.String("repo", "", "Attested repo (e.g. tinfoilanalytics/nitro-pipeline-test)")
+)
 
 func gitHubAttestation(digest string) ([]byte, error) {
-	bundleResponse, err := http.Get("https://api.github.com/repos/" + repo + "/attestations/sha256:" + digest)
+	bundleResponse, err := http.Get("https://api.github.com/repos/" + *repo + "/attestations/sha256:" + digest)
 	if err != nil {
 		return nil, err
 	}
@@ -33,41 +38,45 @@ func gitHubAttestation(digest string) ([]byte, error) {
 }
 
 func main() {
-	digest := "8c168b97025c49a7f34c0da01b22200e4dc3b1f858e76fc4555967eb28722b11"
+	flag.Parse()
 
-	bundleBytes, err := gitHubAttestation(digest)
-	if err != nil {
-		panic(err)
-	}
+	if *digest != "" {
+		bundleBytes, err := gitHubAttestation(*digest)
+		if err != nil {
+			panic(err)
+		}
 
-	sigstoreResponse, err := http.Get("https://tuf-repo-cdn.sigstore.dev/targets/4364d7724c04cc912ce2a6c45ed2610e8d8d1c4dc857fb500292738d4d9c8d2c.trusted_root.json")
-	if err != nil {
-		panic(err)
-	}
-	sigstoreRootBytes, err := io.ReadAll(sigstoreResponse.Body)
-	if err != nil {
-		panic(err)
-	}
+		sigstoreResponse, err := http.Get("https://tuf-repo-cdn.sigstore.dev/targets/4364d7724c04cc912ce2a6c45ed2610e8d8d1c4dc857fb500292738d4d9c8d2c.trusted_root.json")
+		if err != nil {
+			panic(err)
+		}
+		sigstoreRootBytes, err := io.ReadAll(sigstoreResponse.Body)
+		if err != nil {
+			panic(err)
+		}
 
-	sigstoreMeasurements, err := sigstore.VerifyAttestedMeasurements(
-		sigstoreRootBytes,
-		bundleBytes,
-		digest,
-	)
-	if err != nil {
-		panic(err)
+		sigstoreMeasurements, err := sigstore.VerifyAttestedMeasurements(
+			sigstoreRootBytes,
+			bundleBytes,
+			*digest,
+		)
+		if err != nil {
+			panic(err)
+		}
+		fmt.Println("Sigstore", sigstoreMeasurements)
 	}
-	fmt.Println("Sigstore", sigstoreMeasurements)
 
-	attDocBytes, err := os.ReadFile("att_doc.bin")
-	if err != nil {
-		panic(err)
-	}
-	nitroMeasurements, err := nitro.VerifyAttestation(attDocBytes)
-	if err != nil {
-		panic(err)
+	if *attestationDoc != "" {
+		attDocBytes, err := os.ReadFile(*attestationDoc)
+		if err != nil {
+			panic(err)
+		}
+		nitroMeasurements, err := nitro.VerifyAttestation(attDocBytes)
+		if err != nil {
+			panic(err)
+		}
+		fmt.Println("Nitro", nitroMeasurements)
 	}
-	fmt.Println("Nitro", nitroMeasurements)
 
-	fmt.Println("Match?", sigstoreMeasurements.Equals(nitroMeasurements))
+	//fmt.Println("Match?", sigstoreMeasurements.Equals(nitroMeasurements))
 }