Skip to content

Commit

Permalink
feat: fetch attestation from URL or file
Browse files Browse the repository at this point in the history
  • Loading branch information
natesales committed Nov 20, 2024
1 parent 3e6226f commit 997896b
Showing 1 changed file with 41 additions and 8 deletions.
49 changes: 41 additions & 8 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,24 +6,32 @@ import (
"flag"
"fmt"
"io"
"log"
"net/http"
"os"
"strings"

"github.com/tinfoilanalytics/verifier/pkg/models"
"github.com/tinfoilanalytics/verifier/pkg/nitro"
"github.com/tinfoilanalytics/verifier/pkg/sigstore"
)

var (
attestationDoc = flag.String("attestation-doc", "", "Path to the attestation document")
attestationDoc = flag.String("attestation", "", "Path to the attestation document or URL")
digest = flag.String("digest", "", "Artifact digest")
repo = flag.String("repo", "", "Attested repo (e.g. tinfoilanalytics/nitro-pipeline-test)")
)

func gitHubAttestation(digest string) ([]byte, error) {
bundleResponse, err := http.Get("https://api.github.com/repos/" + *repo + "/attestations/sha256:" + digest)
url := "https://api.github.com/repos/" + *repo + "/attestations/sha256:" + digest
log.Printf("Fetching sigstore attestation from %s", url)
bundleResponse, err := http.Get(url)
if err != nil {
return nil, err
}
if bundleResponse.StatusCode != 200 {
return nil, fmt.Errorf("failed to fetch attestation: %s", bundleResponse.Status)
}

var responseJSON struct {
Attestations []struct {
Expand All @@ -40,7 +48,12 @@ func gitHubAttestation(digest string) ([]byte, error) {
func main() {
flag.Parse()

var sigstoreMeasurements *models.Measurements
if *digest != "" {
if *repo == "" {
log.Fatal("Missing repo")
}

bundleBytes, err := gitHubAttestation(*digest)
if err != nil {
panic(err)
Expand All @@ -55,7 +68,7 @@ func main() {
panic(err)
}

sigstoreMeasurements, err := sigstore.VerifyAttestedMeasurements(
sigstoreMeasurements, err = sigstore.VerifyAttestedMeasurements(
sigstoreRootBytes,
bundleBytes,
*digest,
Expand All @@ -66,17 +79,37 @@ func main() {
fmt.Println("Sigstore", sigstoreMeasurements)
}

var nitroMeasurements *models.Measurements
if *attestationDoc != "" {
attDocBytes, err := os.ReadFile(*attestationDoc)
if err != nil {
panic(err)
var attDocBytes []byte
var err error
if strings.HasPrefix(*attestationDoc, "http") {
log.Printf("Fetching attestation doc from %s", *attestationDoc)
resp, err := http.Get(*attestationDoc)
if err != nil {
panic(err)
}
defer resp.Body.Close()
attDocBytes, err = io.ReadAll(resp.Body)
if err != nil {
panic(err)
}
} else {
log.Printf("Reading attestation doc from %s", *attestationDoc)
attDocBytes, err = os.ReadFile(*attestationDoc)
if err != nil {
panic(err)
}
}
nitroMeasurements, err := nitro.VerifyAttestation(attDocBytes)

nitroMeasurements, err = nitro.VerifyAttestation(attDocBytes)
if err != nil {
panic(err)
}
fmt.Println("Nitro", nitroMeasurements)
}

//fmt.Println("Match?", sigstoreMeasurements.Equals(nitroMeasurements))
if sigstoreMeasurements != nil && nitroMeasurements != nil {
fmt.Println("Match?", sigstoreMeasurements.Equals(nitroMeasurements))
}
}

0 comments on commit 997896b

Please sign in to comment.