docker/actions-toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #937 from crazy-max/sigstore-platform

Browse Source 
sigstore: opt to verify attestation manifest for specific platform
This commit is contained in:
CrazyMax
2026-01-14 12:59:10 +01:00
committed by GitHub
parent c9ffda6adf a5dc8e7614
commit 65261f5a19
3 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
__tests__/sigstore/sigstore.test.itg.ts
View File

@@ -23,6 +23,7 @@ import {Build} from '../../src/buildx/build';
import {Install as CosignInstall} from '../../src/cosign/install';
import {Docker} from '../../src/docker/docker';
import {Exec} from '../../src/exec';
import {OCI} from '../../src/oci/oci';
import {Sigstore} from '../../src/sigstore/sigstore';
const fixturesDir = path.join(__dirname, '..', '.fixtures');
@@ -114,6 +115,20 @@ maybe('verifyImageAttestations', () => {
},
60000
);
it('default platform', async () => {
const sigstore = new Sigstore();
const verifyResults = await sigstore.verifyImageAttestations('moby/buildkit:master@sha256:84014da3581b2ff2c14cb4f60029cf9caa272b79e58f2e89c651ea6966d7a505', {
certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml.*$`,
platform: OCI.defaultPlatform()
});
expect(Object.keys(verifyResults).length).toEqual(1);
for (const [attestationRef, res] of Object.entries(verifyResults)) {
expect(attestationRef).toBeDefined();
expect(res.cosignArgs).toBeDefined();
expect(res.signatureManifestDigest).toBeDefined();
}
});
});
maybeIdToken('signProvenanceBlobs', () => {

4
src/sigstore/sigstore.ts
View File

@@ -133,8 +133,8 @@ export class Sigstore {
for (const [attestationRef, signedRes] of Object.entries(signedManifestsResult)) {
await core.group(`Verifying signature of ${attestationRef}`, async () => {
const verifyResult = await this.verifyImageAttestation(attestationRef, {
noTransparencyLog: opts.noTransparencyLog || !signedRes.tlogID,
certificateIdentityRegexp: opts.certificateIdentityRegexp,
noTransparencyLog: opts.noTransparencyLog || !signedRes.tlogID,
retryOnManifestUnknown: opts.retryOnManifestUnknown
});
core.info(`Signature manifest verified: https://oci.dag.dev/?image=${signedRes.imageName}@${verifyResult.signatureManifestDigest}`);
@@ -147,7 +147,7 @@ export class Sigstore {
public async verifyImageAttestations(image: string, opts: VerifySignedManifestsOpts): Promise<Record<string, VerifySignedManifestsResult>> {
const result: Record<string, VerifySignedManifestsResult> = {};
const attestationDigests = await this.imageTools.attestationDigests(image);
const attestationDigests = await this.imageTools.attestationDigests(image, opts.platform);
if (attestationDigests.length === 0) {
throw new Error(`No attestation manifests found for ${image}`);
}

2
src/types/sigstore/sigstore.ts
View File

@@ -17,6 +17,7 @@
import type {SerializedBundle} from '@sigstore/bundle';
import {Subject} from '../intoto/intoto';
import {Platform} from '../oci/descriptor';
export const FULCIO_URL = 'https://fulcio.sigstore.dev';
export const REKOR_URL = 'https://rekor.sigstore.dev';
@@ -47,6 +48,7 @@ export interface SignAttestationManifestsResult extends ParsedBundle {
export interface VerifySignedManifestsOpts {
certificateIdentityRegexp: string;
platform?: Platform;
noTransparencyLog?: boolean;
retryOnManifestUnknown?: boolean;
}