sigstore: default blob attestation verification to SLSA provenance v1

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

__tests__/sigstore/sigstore.test.itg.ts

@@ -36,7 +36,7 @@ const maybeIdToken = runTest && process.env.ACTIONS_ID_TOKEN_REQUEST_URL ? descr
 beforeAll(async () => {
   const cosignInstall = new CosignInstall();
   const cosignBinPath = await cosignInstall.download({
-    version: 'v3.0.4'
+    version: 'v3.0.6'
   });
   await cosignInstall.install(cosignBinPath);
 }, 100000);

src/sigstore/sigstore.ts

@@ -55,6 +55,8 @@ export interface SigstoreOpts {
   imageTools?: ImageTools;
 }
 
+const COSIGN_PREDICATE_SLSA_PROVENANCE_V1 = 'slsaprovenance1';
+
 export class Sigstore {
   private readonly cosign: Cosign;
   private readonly imageTools: ImageTools;
@@ -352,7 +354,8 @@ export class Sigstore {
             'verify-blob-attestation',
             '--new-bundle-format',
             '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
-            '--certificate-identity-regexp', opts.certificateIdentityRegexp
+            '--certificate-identity-regexp', opts.certificateIdentityRegexp,
+            '--type', opts.predicateType ?? COSIGN_PREDICATE_SLSA_PROVENANCE_V1
           ]
           if (opts.noTransparencyLog || !signedRes.tlogID) {
             // if there is no tlog entry, we skip tlog verification but still verify the signed timestamp

src/types/sigstore/sigstore.ts

@@ -73,6 +73,7 @@ export interface SignProvenanceBlobsResult extends ParsedBundle {
 }
 
 export interface VerifySignedArtifactsOpts {
+  predicateType?: string;
   certificateIdentityRegexp: string;
   noTransparencyLog?: boolean;
 }