sigstore: opt to verify attestation manifest for specific platform

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

src/sigstore/sigstore.ts

@@ -133,8 +133,8 @@ export class Sigstore {
     for (const [attestationRef, signedRes] of Object.entries(signedManifestsResult)) {
       await core.group(`Verifying signature of ${attestationRef}`, async () => {
         const verifyResult = await this.verifyImageAttestation(attestationRef, {
-          noTransparencyLog: opts.noTransparencyLog || !signedRes.tlogID,
           certificateIdentityRegexp: opts.certificateIdentityRegexp,
+          noTransparencyLog: opts.noTransparencyLog || !signedRes.tlogID,
           retryOnManifestUnknown: opts.retryOnManifestUnknown
         });
         core.info(`Signature manifest verified: https://oci.dag.dev/?image=${signedRes.imageName}@${verifyResult.signatureManifestDigest}`);
@@ -147,7 +147,7 @@ export class Sigstore {
   public async verifyImageAttestations(image: string, opts: VerifySignedManifestsOpts): Promise<Record<string, VerifySignedManifestsResult>> {
     const result: Record<string, VerifySignedManifestsResult> = {};
 
-    const attestationDigests = await this.imageTools.attestationDigests(image);
+    const attestationDigests = await this.imageTools.attestationDigests(image, opts.platform);
     if (attestationDigests.length === 0) {
       throw new Error(`No attestation manifests found for ${image}`);
     }

src/types/sigstore/sigstore.ts

@@ -17,6 +17,7 @@
 import type {SerializedBundle} from '@sigstore/bundle';
 
 import {Subject} from '../intoto/intoto';
+import {Platform} from '../oci/descriptor';
 
 export const FULCIO_URL = 'https://fulcio.sigstore.dev';
 export const REKOR_URL = 'https://rekor.sigstore.dev';
@@ -47,6 +48,7 @@ export interface SignAttestationManifestsResult extends ParsedBundle {
 
 export interface VerifySignedManifestsOpts {
   certificateIdentityRegexp: string;
+  platform?: Platform;
   noTransparencyLog?: boolean;
   retryOnManifestUnknown?: boolean;
 }