ajhahn.de
← eeco
Go 39 lines 
package selfupdate

import "fmt"

func verifyCosign(run func(name string, args ...string) (string, error), sumsPath, sigPath, certPath string) error {
	args := []string{
		"verify-blob",
		"--signature", sigPath,
		"--certificate", certPath,
		"--certificate-identity-regexp", CosignIdentityRegexp,
		"--certificate-oidc-issuer", CosignOIDCIssuer,
		sumsPath,
	}
	out, err := run("cosign", args...)
	if err != nil {
		return fmt.Errorf("%w (%s)", err, trimOutput(out))
	}
	return nil
}

func verifyAttestation(run func(name string, args ...string) (string, error), archivePath string) error {
	args := []string{
		"attestation", "verify", archivePath,
		"--repo", ProvenanceRepo,
	}
	out, err := run("gh", args...)
	if err != nil {
		return fmt.Errorf("%w (%s)", err, trimOutput(out))
	}
	return nil
}

func trimOutput(s string) string {
	if len(s) > 240 {
		return s[:240] + "..."
	}
	return s
}

raw view on GitHub →