Attestation verification via glab CLI

Why are we doing this work

The purpose of this issue is to add supply chain attestation verification to the glab CLI.

Relevant links

• Polish the MVC end-to-end Attestation workflow
• Previous MR: Resolve "Create Attestations List API"
• PoC: Draft: Add new "attestation verify" command

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

For the initial implementation the CLI should support verification of an artifact against a given project. In the future, we can expand to support other options similar to competitors.

Initial use case:

glab attestation verify FILE --project PROJECT_PATH

For example

glab attestation verify filename.txt --project gilab-org/gitlab

Specifically, we'll need to add a new command, attestation that has a subcommand verify.

1. Add an attestation command. This can be done imitating the structure in internal/commands/mr/mr.go. This needs to be added to internal/commands/root.go in the same way the MR command is added.
2. Add a verify command. This can be done by imitating internal/commands/mr/reopen/mr_reopen.go.
3. Download the bundle using Add attestation download API endpoint
4. Install sigstore-go.
5. Verify the bundle against the signature you downloaded, with the appropriate certificate-identity and certificate-oidc-issuer. More information on how to do this in the docuemntation and examples.

GitLab.org / cli · GitLab uses cobra as a CLI framework.

Verification steps

1. Do the steps highlighted in "Polish the MVC end-to-end Attestation workflow", but perform the validation using the newly added glab attestation verify command 🎉