Skip to content

Commit

Permalink
Add a bundle test for a dsse envelope containing an in-toto statement
Browse files Browse the repository at this point in the history 
Based on the example in https://blog.sigstore.dev/cosign-verify-bundles/

Signed-off-by: Samuel Giddins <[email protected]>
  • Loading branch information
@segiddins
segiddins committed Sep 30, 2024
1 parent 63fbf5b commit d12f919
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 0 deletions.
1 change: 1 addition & 0 deletions test/assets/sha256:cd53809273ad6011fdd98e0244c5c2276b15f3dd1294e4715627ebd4f9c6e0f1.jsonl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"certificate":{"rawBytes":"MIIGjjCCBhWgAwIBAgIUafBQzz/mxCPKXTDn1ghlKxEO6oMwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwODAxMTc0NTI5WhcNMjQwODAxMTc1NTI5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXflgYxtQy2huEXfEaOTLcjgg4Rk+LMb1u1FeF3inUEjFfBSy7wDBN257PpV4LaZ/H9onVkY3b9k/7XqK3lgldaOCBTQwggUwMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUDaLoZeNTawd9Lfrs2jNzQTjbzkEwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wWgYDVR0RAQH/BFAwToZMaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkvLmdpdGh1Yi93b3JrZmxvd3MvZGVwbG95bWVudC55bWxAcmVmcy9oZWFkcy90cnVuazA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDg5Y2JjZmU3ZWIxODZmZjRlZGJlMTA3OTJkMTdiZGM1NWIwNGYyOTcwGAYKKwYBBAGDvzABBAQKRGVwbG95bWVudDAVBgorBgEEAYO/MAEFBAdjbGkvY2xpMB4GCisGAQQBg78wAQYEEHJlZnMvaGVhZHMvdHJ1bmswOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMFwGCisGAQQBg78wAQkETgxMaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkvLmdpdGh1Yi93b3JrZmxvd3MvZGVwbG95bWVudC55bWxAcmVmcy9oZWFkcy90cnVuazA4BgorBgEEAYO/MAEKBCoMKDg5Y2JjZmU3ZWIxODZmZjRlZGJlMTA3OTJkMTdiZGM1NWIwNGYyOTcwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMCoGCisGAQQBg78wAQwEHAwaaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkwOAYKKwYBBAGDvzABDQQqDCg4OWNiY2ZlN2ViMTg2ZmY0ZWRiZTEwNzkyZDE3YmRjNTViMDRmMjk3MCAGCisGAQQBg78wAQ4EEgwQcmVmcy9oZWFkcy90cnVuazAZBgorBgEEAYO/MAEPBAsMCTIxMjYxMzA0OTAmBgorBgEEAYO/MAEQBBgMFmh0dHBzOi8vZ2l0aHViLmNvbS9jbGkwGAYKKwYBBAGDvzABEQQKDAg1OTcwNDcxMTBcBgorBgEEAYO/MAESBE4MTGh0dHBzOi8vZ2l0aHViLmNvbS9jbGkvY2xpLy5naXRodWIvd29ya2Zsb3dzL2RlcGxveW1lbnQueW1sQHJlZnMvaGVhZHMvdHJ1bmswOAYKKwYBBAGDvzABEwQqDCg4OWNiY2ZlN2ViMTg2ZmY0ZWRiZTEwNzkyZDE3YmRjNTViMDRmMjk3MCEGCisGAQQBg78wARQEEwwRd29ya2Zsb3dfZGlzcGF0Y2gwTgYKKwYBBAGDvzABFQRADD5odHRwczovL2dpdGh1Yi5jb20vY2xpL2NsaS9hY3Rpb25zL3J1bnMvMTAyMDMwMTcyOTgvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABkQ8L+xkAAAQDAEgwRgIhAMSML7wrFAxXt2lpLxsWK0Fflk9SmIlt1MwREjk2dfjgAiEA0vavXz+oZbAq7e8Xh6V5+8aGckyGl+Dff/Q3ulR5bcwwCgYIKoZIzj0EAwMDZwAwZAIwAir+nSftL/BbxeEE0J1/4tq8892JM0OXH2CiNY4oJjMphqqqDmhpfNCLtJNqC6+TAjBLwrxQHju2mT7hq5CE2Q9gTo26rs3cfkAk7jGQtJjNW63o8t1ESC79u643l+LhyCk="},"tlogEntries":[{"logIndex":"117513925","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"dsse","version":"0.0.1"},"integratedTime":"1722534329","inclusionPromise":{"signedEntryTimestamp":"MEQCIFG8ZCdYFI59NceZk6GFcDr6DHZzsr/49BhC4+/UzE6BAiB5Ar8D3PVnY8wk/Lf8bmvXLYBwhFfm7lT/quWsHTcQ6Q=="},"inclusionProof":{"logIndex":"113350494","rootHash":"GvQZjfi5e/txBke5DHuH60yZvGIHH5Gio2SebhPaCEI=","treeSize":"113350495","hashes":["kPrxogBgaiYBXPrmuiW6QFOyTsxapj5cRf7cLIkqlgk=","DdvY90h0+dUi9j0qbMiDVoz909rvh/4dVUQMzzlBX5I=","a/tpVNeDpYQvxh/m+m8A6FeQ/T16k0zvqWGpIhzNCxo=","KVKUkLOiDtSREGq9LSKSRbqvFBS6exZH5gScdNZDrBg=","ScYpw/wE6PSFB+25jVDX8TGGv5v3NmtrRCDbYBkkixs=","K41lYwn1iiRbu6AbHBn6QivuYq6WwJMxHv9KIiuy7P4=","Tin7wAz5RFeq6pyG+JXqe1qu1zDEbuhp/avhF8uCIdQ=","ykODIW0asUt9iLiPkPZeFJ7BFX5wfmukdVDgnROLpao=","4LsTv7wQMkI52AInF2Ys10/g0ETbFuTb3EVCkkHQh7w=","NXpJjSuDOXfOYq/bz0pkkFMPcbA6Z3jXRoy6CLMR3ec=","RxKmXOfuvQ9mnX3J24an0YQevMQXFcs9ZFEo22azZHs=","yPZFEKyq0Jj5sObbCwB/LMHlcgQl8ux2d2IkRYWLIt8=","ndmjFxe89oJp4z+fXcLQM1BmC+7Sp8m8VMkNIafNhYk=","a6kLnwN4nPldqWq4OoO6Mz25ZQx1TaLMF0IbMSMVduQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n113350495\nGvQZjfi5e/txBke5DHuH60yZvGIHH5Gio2SebhPaCEI=\n\n— rekor.sigstore.dev wNI9ajBFAiEAqYstPGer1HBA8VwBtocst5HSENaQX+rkGJzZnTKYroECIHgo61Y0oO3j8oa4sTLo+IUtn9+z3F6jnaDxDh38p+yZ\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZW52ZWxvcGVIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiZDE2OGQ5ZjM2MmNlYTEyZDEzOGZjNGQ2ZTQ3NmQzMGQ2ZmJiM2FiZTRlMmQ5YTIzMzJkYTQwZTUyM2EzNjdmNSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjE1NjM2NjYxMDRlOGQ3ZTg0MTcxNGQ3OGIwMDQyNjI1NzQyYmY1ZWFmNjlkNDMzMTEwMzllNDUyMjk3OTFiYjUifSwic2lnbmF0dXJlcyI6W3sic2lnbmF0dXJlIjoiTUVVQ0lHYmNiVTQvUDZqTk40anV1SStMZmh6U1dnMjZLOXAyRlZjbEs0SlRkdmVlQWlFQXZMemRJMlNmWktlVytXZ3hjbE51MmhHWHh5YkpkSnY0bFlkT2x3VVR0bWc9IiwidmVyaWZpZXIiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VkcWFrTkRRbWhYWjBGM1NVSkJaMGxWWVdaQ1VYcDZMMjE0UTFCTFdGUkViakZuYUd4TGVFVlBObTlOZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwUmQwOUVRWGhOVkdNd1RsUkpOVmRvWTA1TmFsRjNUMFJCZUUxVVl6Rk9WRWsxVjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVllabXhuV1hoMFVYa3lhSFZGV0daRllVOVVUR05xWjJjMFVtc3JURTFpTVhVeFJtVUtSak5wYmxWRmFrWm1RbE41TjNkRVFrNHlOVGRRY0ZZMFRHRmFMMGc1YjI1V2Exa3pZamxyTHpkWWNVc3piR2RzWkdGUFEwSlVVWGRuWjFWM1RVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVkVZVXh2Q2xwbFRsUmhkMlE1VEdaeWN6SnFUbnBSVkdwaWVtdEZkMGgzV1VSV1VqQnFRa0puZDBadlFWVXpPVkJ3ZWpGWmEwVmFZalZ4VG1wd1MwWlhhWGhwTkZrS1drUTRkMWRuV1VSV1VqQlNRVkZJTDBKR1FYZFViMXBOWVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBUREpPYzJGVE9XcGlSMnQyVEcxa2NBcGtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbHBIVm5kaVJ6azFZbGRXZFdSRE5UVmlWM2hCWTIxV2JXTjVPVzlhVjBaclkzazVNR051Vm5WaGVrRTFDa0puYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQmhTRlpwWkZoT2JHTnRUbllLWW01U2JHSnVVWFZaTWpsMFRVSTRSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkZXR1IyWTIxMGJXSkhPVE5ZTWxKd1l6TkNhR1JIVG05TlJGbEhRMmx6UndwQlVWRkNaemM0ZDBGUlRVVkxSR2MxV1RKS2FscHRWVE5hVjBsNFQwUmFiVnBxVW14YVIwcHNUVlJCTTA5VVNtdE5WR1JwV2tkTk1VNVhTWGRPUjFsNUNrOVVZM2RIUVZsTFMzZFpRa0pCUjBSMmVrRkNRa0ZSUzFKSFZuZGlSemsxWWxkV2RXUkVRVlpDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa0ZrYW1KSGEzWUtXVEo0Y0UxQ05FZERhWE5IUVZGUlFtYzNPSGRCVVZsRlJVaEtiRnB1VFhaaFIxWm9Xa2hOZG1SSVNqRmliWE4zVDNkWlMwdDNXVUpDUVVkRWRucEJRZ3BEUVZGMFJFTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG14amJVNTJZbTVTYkdKdVVYVlpNamwwQ2sxR2QwZERhWE5IUVZGUlFtYzNPSGRCVVd0RlZHZDRUV0ZJVWpCalNFMDJUSGs1Ym1GWVVtOWtWMGwxV1RJNWRFd3lUbk5oVXpscVlrZHJka3h0WkhBS1pFZG9NVmxwT1ROaU0wcHlXbTE0ZG1RelRYWmFSMVozWWtjNU5XSlhWblZrUXpVMVlsZDRRV050Vm0xamVUbHZXbGRHYTJONU9UQmpibFoxWVhwQk5BcENaMjl5UW1kRlJVRlpUeTlOUVVWTFFrTnZUVXRFWnpWWk1rcHFXbTFWTTFwWFNYaFBSRnB0V21wU2JGcEhTbXhOVkVFelQxUkthMDFVWkdsYVIwMHhDazVYU1hkT1IxbDVUMVJqZDBoUldVdExkMWxDUWtGSFJIWjZRVUpEZDFGUVJFRXhibUZZVW05a1YwbDBZVWM1ZW1SSFZtdE5RMjlIUTJselIwRlJVVUlLWnpjNGQwRlJkMFZJUVhkaFlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKT2MyRlRPV3BpUjJ0M1QwRlpTMHQzV1VKQ1FVZEVkbnBCUWdwRVVWRnhSRU5uTkU5WFRtbFpNbHBzVGpKV2FVMVVaekphYlZrd1dsZFNhVnBVUlhkT2VtdDVXa1JGTTFsdFVtcE9WRlpwVFVSU2JVMXFhek5OUTBGSENrTnBjMGRCVVZGQ1p6YzRkMEZSTkVWRlozZFJZMjFXYldONU9XOWFWMFpyWTNrNU1HTnVWblZoZWtGYVFtZHZja0puUlVWQldVOHZUVUZGVUVKQmMwMEtRMVJKZUUxcVdYaE5la0V3VDFSQmJVSm5iM0pDWjBWRlFWbFBMMDFCUlZGQ1FtZE5SbTFvTUdSSVFucFBhVGgyV2pKc01HRklWbWxNYlU1MllsTTVhZ3BpUjJ0M1IwRlpTMHQzV1VKQ1FVZEVkbnBCUWtWUlVVdEVRV2N4VDFSamQwNUVZM2hOVkVKalFtZHZja0puUlVWQldVOHZUVUZGVTBKRk5FMVVSMmd3Q21SSVFucFBhVGgyV2pKc01HRklWbWxNYlU1MllsTTVhbUpIYTNaWk1uaHdUSGsxYm1GWVVtOWtWMGwyWkRJNWVXRXlXbk5pTTJSNlRESlNiR05IZUhZS1pWY3hiR0p1VVhWbFZ6RnpVVWhLYkZwdVRYWmhSMVpvV2toTmRtUklTakZpYlhOM1QwRlpTMHQzV1VKQ1FVZEVkbnBCUWtWM1VYRkVRMmMwVDFkT2FRcFpNbHBzVGpKV2FVMVVaekphYlZrd1dsZFNhVnBVUlhkT2VtdDVXa1JGTTFsdFVtcE9WRlpwVFVSU2JVMXFhek5OUTBWSFEybHpSMEZSVVVKbk56aDNDa0ZTVVVWRmQzZFNaREk1ZVdFeVduTmlNMlJtV2tkc2VtTkhSakJaTW1kM1ZHZFpTMHQzV1VKQ1FVZEVkbnBCUWtaUlVrRkVSRFZ2WkVoU2QyTjZiM1lLVERKa2NHUkhhREZaYVRWcVlqSXdkbGt5ZUhCTU1rNXpZVk01YUZrelVuQmlNalY2VEROS01XSnVUWFpOVkVGNVRVUk5kMDFVWTNsUFZHZDJXVmhTTUFwYVZ6RjNaRWhOZGsxVVFWZENaMjl5UW1kRlJVRlpUeTlOUVVWWFFrRm5UVUp1UWpGWmJYaHdXWHBEUW1sM1dVdExkMWxDUWtGSVYyVlJTVVZCWjFJNUNrSkljMEZsVVVJelFVNHdPVTFIY2tkNGVFVjVXWGhyWlVoS2JHNU9kMHRwVTJ3Mk5ETnFlWFF2TkdWTFkyOUJka3RsTms5QlFVRkNhMUU0VEN0NGEwRUtRVUZSUkVGRlozZFNaMGxvUVUxVFRVdzNkM0pHUVhoWWRESnNjRXg0YzFkTE1FWm1iR3M1VTIxSmJIUXhUWGRTUldwck1tUm1hbWRCYVVWQk1IWmhkZ3BZZWl0dldtSkJjVGRsT0Zob05sWTFLemhoUjJOcmVVZHNLMFJtWmk5Uk0zVnNValZpWTNkM1EyZFpTVXR2V2tsNmFqQkZRWGROUkZwM1FYZGFRVWwzQ2tGcGNpdHVVMlowVEM5Q1luaGxSVVV3U2pFdk5IUnhPRGc1TWtwTk1FOVlTREpEYVU1Wk5HOUthazF3YUhGeGNVUnRhSEJtVGtOTWRFcE9jVU0ySzFRS1FXcENUSGR5ZUZGSWFuVXliVlEzYUhFMVEwVXlVVGxuVkc4eU5uSnpNMk5tYTBGck4ycEhVWFJLYWs1WE5qTnZPSFF4UlZORE56bDFOalF6YkN0TWFBcDVRMnM5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn1dfX0="}],"timestampVerificationData":{}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hfMi41NC4wX2xpbnV4X2FybXY2LnRhci5neiIsImRpZ2VzdCI6eyJzaGEyNTYiOiJjZDUzODA5MjczYWQ2MDExZmRkOThlMDI0NGM1YzIyNzZiMTVmM2RkMTI5NGU0NzE1NjI3ZWJkNGY5YzZlMGYxIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MSIsInByZWRpY2F0ZSI6eyJidWlsZERlZmluaXRpb24iOnsiYnVpbGRUeXBlIjoiaHR0cHM6Ly9hY3Rpb25zLmdpdGh1Yi5pby9idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwiZXh0ZXJuYWxQYXJhbWV0ZXJzIjp7IndvcmtmbG93Ijp7InJlZiI6InJlZnMvaGVhZHMvdHJ1bmsiLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkiLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvZGVwbG95bWVudC55bWwifX0sImludGVybmFsUGFyYW1ldGVycyI6eyJnaXRodWIiOnsiZXZlbnRfbmFtZSI6IndvcmtmbG93X2Rpc3BhdGNoIiwicmVwb3NpdG9yeV9pZCI6IjIxMjYxMzA0OSIsInJlcG9zaXRvcnlfb3duZXJfaWQiOiI1OTcwNDcxMSIsInJ1bm5lcl9lbnZpcm9ubWVudCI6ImdpdGh1Yi1ob3N0ZWQifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGlAcmVmcy9oZWFkcy90cnVuayIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiI4OWNiY2ZlN2ViMTg2ZmY0ZWRiZTEwNzkyZDE3YmRjNTViMDRmMjk3In19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9jbGkvY2xpLy5naXRodWIvd29ya2Zsb3dzL2RlcGxveW1lbnQueW1sQHJlZnMvaGVhZHMvdHJ1bmsifSwibWV0YWRhdGEiOnsiaW52b2NhdGlvbklkIjoiaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkvYWN0aW9ucy9ydW5zLzEwMjAzMDE3Mjk4L2F0dGVtcHRzLzEifX19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIGbcbU4/P6jNN4juuI+LfhzSWg26K9p2FVclK4JTdveeAiEAvLzdI2SfZKeW+WgxclNu2hGXxybJdJv4lYdOlwUTtmg="}]}}
25 changes: 25 additions & 0 deletions test/test_bundle.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -417,3 +417,28 @@ def temp_bundle_path(bundle: dict) -> Path:
)
except ClientFail as e:
pytest.fail(f"verify for {artifact['url']} failed: {e}")

def test_verify_in_toto_in_dsse_envelope(
client: SigstoreClient,
) -> None:
"""
Check that the client can verify a bundle that contains an in-toto
metadata file in a DSSE envelope.
"""
sha256 = "cd53809273ad6011fdd98e0244c5c2276b15f3dd1294e4715627ebd4f9c6e0f1"
bundle_path = Path(f"sha256:{sha256}.jsonl")

try:
client.run(
"verify-bundle",
"--bundle",
str(bundle_path),
"--certificate-identity",
"https://github.com/cli/cli/.github/workflows/deployment.yml@refs/heads/trunk",
"--certificate-oidc-issuer",
"https://token.actions.githubusercontent.com",
"--verify-digest",
f"sha256:{sha256}",
)
except ClientFail as e:
pytest.fail(f"verify for sha256:{sha256} failed: {e}")

0 comments on commit d12f919

Please sign in to comment.