slsa-verifier

mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-06 00:26:39 +00:00

Files

Ramon Petgrave c789437815 feat: refactor: use sigstore-go for fetching TrustedRoot (#791 )

Uses the `sigstore-go` library for fetching the `TrustedRoot`, which
contains the Sigstore infrastructure certificates needed to validate the
leaf ephemeral certificates used to sign artifacts.

Refactors:

- replace `TrustedRootSingleton()` with `getDefaultCosignCheckOpts()`,
since only `VerifyImage()` will now need that data.
- replace `cosign.ValidateAndUnpackCert`
with`sigstoreVerify.VerifyLeafCertificate()`
- use `sync.Once` for sigstore and rekor clients, and the `TrustedRoot`

## Testing

- existing tests continue to pass
- [negative tests
](d96b977709/cli/slsa-verifier/main_regression_test.go (L450-L471))
against rekor TLogs
- manual invocations of `verify-artifact`.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

2024-08-02 21:47:50 +00:00

scripts

fix: pre-submit: e2e-cli.sh artifact download (#646 )

2023-06-29 10:05:12 -07:00

codeql-analysis.yml

chore(deps): update github-actions (#786 )

2024-07-01 17:21:38 +00:00

depsreview.yml

chore(deps): update github-actions (#786 )

2024-07-01 17:21:38 +00:00

e2e.schedule.cli.yml

chore(deps): update github-actions (#786 )