add --trusted-root flag to conformance CLI

Signed-off-by: Brian DeHamer <[email protected]>
sigstore · Dec 15, 2023 · e06953a · e06953a
1 parent 57bec90
commit e06953a
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 5 deletions.
diff --git a/.changeset/slimy-apricots-look.md b/.changeset/slimy-apricots-look.md
@@ -0,0 +1,5 @@
+---
+"@sigstore/conformance": minor
+---
+
+Updates the `verify-bundle` subcommand with support for a new `--trusted-root` flag
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/conformance/package.json b/packages/conformance/package.json
@@ -18,6 +18,9 @@
   },
   "dependencies": {
     "@oclif/core": "^3",
+    "@sigstore/bundle": "^2.1.0",
+    "@sigstore/protobuf-specs": "^0.2.1",
+    "@sigstore/verify": "^0.0.0",
     "sigstore": "^2.0.0"
   },
   "devDependencies": {

diff --git a/packages/conformance/src/commands/verify-bundle.ts b/packages/conformance/src/commands/verify-bundle.ts
@@ -1,4 +1,7 @@
 import { Args, Command, Flags } from '@oclif/core';
+import { bundleFromJSON } from '@sigstore/bundle';
+import { TrustedRoot } from '@sigstore/protobuf-specs';
+import { Verifier, toSignedEntity, toTrustMaterial } from '@sigstore/verify';
 import fs from 'fs/promises';
 import * as sigstore from 'sigstore';
 
@@ -17,6 +20,10 @@ export default class VerifyBundle extends Command {
       description: 'the expected OIDC issuer for the signing certificate',
       required: true,
     }),
+    'trusted-root': Flags.string({
+      description: 'path to trusted root',
+      required: false,
+    }),
   };
 
   static override args = {
@@ -34,12 +41,31 @@ export default class VerifyBundle extends Command {
       .readFile(flags.bundle)
       .then((data) => JSON.parse(data.toString()));
     const artifact = await fs.readFile(args.file);
+    const trustedRootPath = flags['trusted-root'];
+
+    if (!trustedRootPath) {
+      const options: Parameters<typeof sigstore.verify>[2] = {
+        certificateIdentityURI: flags['certificate-identity'],
+        certificateIssuer: flags['certificate-oidc-issuer'],
+      };
 
-    const options: Parameters<typeof sigstore.verify>[2] = {
-      certificateIdentityURI: flags['certificate-identity'],
-      certificateIssuer: flags['certificate-oidc-issuer'],
-    };
+      sigstore.verify(bundle, artifact, options);
+    } else {
+      // Need to assemble the Verifier manually to pass in the trusted root
+      const trustedRoot = await fs
+        .readFile(trustedRootPath)
+        .then((data) => JSON.parse(data.toString()));
+      const trustMaterial = toTrustMaterial(TrustedRoot.fromJSON(trustedRoot));
+      const signedEntity = toSignedEntity(bundleFromJSON(bundle), artifact);
+      const policy = {
+        subjectAlternativeName: flags['certificate-identity'],
+        extensions: {
+          issuer: flags['certificate-oidc-issuer'],
+        },
+      };
 
-    sigstore.verify(bundle, artifact, options);
+      const verifier = new Verifier(trustMaterial);
+      verifier.verify(signedEntity, policy);
+    }
   }
 }