From a5dc8e7614fa31ed5a59506e59b4153150d46f8a Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Wed, 14 Jan 2026 12:23:11 +0100 Subject: [PATCH] sigstore: opt to verify attestation manifest for specific platform Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- __tests__/sigstore/sigstore.test.itg.ts | 15 +++++++++++++++ src/sigstore/sigstore.ts | 4 ++-- src/types/sigstore/sigstore.ts | 2 ++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/__tests__/sigstore/sigstore.test.itg.ts b/__tests__/sigstore/sigstore.test.itg.ts index 6fff3f63..41208441 100644 --- a/__tests__/sigstore/sigstore.test.itg.ts +++ b/__tests__/sigstore/sigstore.test.itg.ts @@ -23,6 +23,7 @@ import {Build} from '../../src/buildx/build'; import {Install as CosignInstall} from '../../src/cosign/install'; import {Docker} from '../../src/docker/docker'; import {Exec} from '../../src/exec'; +import {OCI} from '../../src/oci/oci'; import {Sigstore} from '../../src/sigstore/sigstore'; const fixturesDir = path.join(__dirname, '..', '.fixtures'); @@ -114,6 +115,20 @@ maybe('verifyImageAttestations', () => { }, 60000 ); + + it('default platform', async () => { + const sigstore = new Sigstore(); + const verifyResults = await sigstore.verifyImageAttestations('moby/buildkit:master@sha256:84014da3581b2ff2c14cb4f60029cf9caa272b79e58f2e89c651ea6966d7a505', { + certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml.*$`, + platform: OCI.defaultPlatform() + }); + expect(Object.keys(verifyResults).length).toEqual(1); + for (const [attestationRef, res] of Object.entries(verifyResults)) { + expect(attestationRef).toBeDefined(); + expect(res.cosignArgs).toBeDefined(); + expect(res.signatureManifestDigest).toBeDefined(); + } + }); }); maybeIdToken('signProvenanceBlobs', () => { diff --git a/src/sigstore/sigstore.ts b/src/sigstore/sigstore.ts index ed8c5d82..3ad9600b 100644 --- a/src/sigstore/sigstore.ts +++ b/src/sigstore/sigstore.ts @@ -133,8 +133,8 @@ export class Sigstore { for (const [attestationRef, signedRes] of Object.entries(signedManifestsResult)) { await core.group(`Verifying signature of ${attestationRef}`, async () => { const verifyResult = await this.verifyImageAttestation(attestationRef, { - noTransparencyLog: opts.noTransparencyLog || !signedRes.tlogID, certificateIdentityRegexp: opts.certificateIdentityRegexp, + noTransparencyLog: opts.noTransparencyLog || !signedRes.tlogID, retryOnManifestUnknown: opts.retryOnManifestUnknown }); core.info(`Signature manifest verified: https://oci.dag.dev/?image=${signedRes.imageName}@${verifyResult.signatureManifestDigest}`); @@ -147,7 +147,7 @@ export class Sigstore { public async verifyImageAttestations(image: string, opts: VerifySignedManifestsOpts): Promise> { const result: Record = {}; - const attestationDigests = await this.imageTools.attestationDigests(image); + const attestationDigests = await this.imageTools.attestationDigests(image, opts.platform); if (attestationDigests.length === 0) { throw new Error(`No attestation manifests found for ${image}`); } diff --git a/src/types/sigstore/sigstore.ts b/src/types/sigstore/sigstore.ts index 97255567..b08e1ffe 100644 --- a/src/types/sigstore/sigstore.ts +++ b/src/types/sigstore/sigstore.ts @@ -17,6 +17,7 @@ import type {SerializedBundle} from '@sigstore/bundle'; import {Subject} from '../intoto/intoto'; +import {Platform} from '../oci/descriptor'; export const FULCIO_URL = 'https://fulcio.sigstore.dev'; export const REKOR_URL = 'https://rekor.sigstore.dev'; @@ -47,6 +48,7 @@ export interface SignAttestationManifestsResult extends ParsedBundle { export interface VerifySignedManifestsOpts { certificateIdentityRegexp: string; + platform?: Platform; noTransparencyLog?: boolean; retryOnManifestUnknown?: boolean; }