Draft: Add new "attestation verify" command
There's something wrong with how I installed sigstore-go that caused a full rewrite of the mod files
Output;
make && bin/glab attestation verify
{
"mediaType": "application/vnd.dev.sigstore.verificationresult+json;version=0.1",
"signature": {
"certificate": {
"certificateIssuer": "CN=sigstore-intermediate,O=sigstore.dev",
"subjectAlternativeName": "https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main",
"issuer": "https://token.actions.githubusercontent.com",
"githubWorkflowTrigger": "push",
"githubWorkflowSHA": "dae8bd8eb433a4147b4655c00fe73e0f22bc0fb1",
"githubWorkflowName": "Release",
"githubWorkflowRepository": "sigstore/sigstore-js",
"githubWorkflowRef": "refs/heads/main",
"buildSignerURI": "https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main",
"buildSignerDigest": "dae8bd8eb433a4147b4655c00fe73e0f22bc0fb1",
"runnerEnvironment": "github-hosted",
"sourceRepositoryURI": "https://github.com/sigstore/sigstore-js",
"sourceRepositoryDigest": "dae8bd8eb433a4147b4655c00fe73e0f22bc0fb1",
"sourceRepositoryRef": "refs/heads/main",
"sourceRepositoryIdentifier": "495574555",
"sourceRepositoryOwnerURI": "https://github.com/sigstore",
"sourceRepositoryOwnerIdentifier": "71096353",
"buildConfigURI": "https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main",
"buildConfigDigest": "dae8bd8eb433a4147b4655c00fe73e0f22bc0fb1",
"buildTrigger": "push",
"runInvocationURI": "https://github.com/sigstore/sigstore-js/actions/runs/4735384265/attempts/1"
}
},
"verifiedTimestamps": [
{
"type": "Tlog",
"uri": "https://rekor.sigstore.dev",
"timestamp": "2023-04-19T05:45:12+12:00"
}
],
"verifiedIdentity": {
"subjectAlternativeName": {
"subjectAlternativeName": "",
"regexp": "^https://github.com/sigstore/sigstore-js/"
},
"issuer": {
"issuer": "https://token.actions.githubusercontent.com"
}
},
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"subject": [
{
"name": "pkg:npm/sigstore@1.3.0",
"digest": {
"sha512": "76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751"
}
}
],
"predicateType": "https://slsa.dev/provenance/v0.2",
"predicate": {
"buildType": "https://github.com/npm/cli/gha/v2",
"builder": {
"id": "https://github.com/actions/runner"
},
"invocation": {
"configSource": {
"digest": {
"sha1": "dae8bd8eb433a4147b4655c00fe73e0f22bc0fb1"
},
"entryPoint": ".github/workflows/release.yml",
"uri": "git+https://github.com/sigstore/sigstore-js@refs/heads/main"
},
"environment": {
"GITHUB_EVENT_NAME": "push",
"GITHUB_REF": "refs/heads/main",
"GITHUB_REPOSITORY": "sigstore/sigstore-js",
"GITHUB_REPOSITORY_ID": "495574555",
"GITHUB_REPOSITORY_OWNER_ID": "71096353",
"GITHUB_RUN_ATTEMPT": "1",
"GITHUB_RUN_ID": "4735384265",
"GITHUB_SHA": "dae8bd8eb433a4147b4655c00fe73e0f22bc0fb1",
"GITHUB_WORKFLOW_REF": "sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main",
"GITHUB_WORKFLOW_SHA": "dae8bd8eb433a4147b4655c00fe73e0f22bc0fb1"
},
"parameters": {}
},
"materials": [
{
"digest": {
"sha1": "dae8bd8eb433a4147b4655c00fe73e0f22bc0fb1"
},
"uri": "git+https://github.com/sigstore/sigstore-js@refs/heads/main"
}
],
"metadata": {
"buildInvocationId": "4735384265-1",
"completeness": {
"environment": false,
"materials": false,
"parameters": false
},
"reproducible": false
}
}
}
}Edited by Sam Roque-Worcel