sigstore_verification/verifiers/
mod.rs

1pub mod cosign;
2pub mod github;
3pub mod slsa;
4
5use crate::Result;
6use crate::bundle::ParsedBundle;
7use async_trait::async_trait;
8use std::path::Path;
9
10/// Verification policy that can be applied during verification
11#[derive(Debug, Clone, Default)]
12pub struct Policy {
13    /// Required SLSA level (1, 2, or 3)
14    pub slsa_level: Option<u8>,
15    /// Required certificate identity
16    pub certificate_identity: Option<String>,
17    /// Required OIDC issuer
18    pub certificate_oidc_issuer: Option<String>,
19    /// Required workflow/builder identity
20    pub signer_workflow: Option<String>,
21    /// Allow self-hosted runners
22    pub allow_self_hosted: bool,
23    /// Custom policy expressions (future: CUE or Rego)
24    pub custom_policies: Vec<String>,
25}
26
27/// Result of verification
28#[derive(Debug)]
29pub struct VerificationResult {
30    /// Whether verification succeeded
31    pub success: bool,
32    /// SLSA level achieved (if applicable)
33    pub slsa_level: Option<u8>,
34    /// Certificate identity found
35    pub certificate_identity: Option<String>,
36    /// Builder/workflow identity
37    pub builder_identity: Option<String>,
38    /// Any warnings or notes
39    pub messages: Vec<String>,
40}
41
42/// Trait for different verification strategies
43#[async_trait]
44pub trait Verifier: Send + Sync {
45    /// Verify an attestation bundle against an artifact
46    async fn verify(
47        &self,
48        bundle: &ParsedBundle,
49        artifact_path: &Path,
50        policy: &Policy,
51    ) -> Result<VerificationResult>;
52
53    /// Get the verifier type name for logging
54    fn verifier_type(&self) -> &'static str;
55}
sigstore_verification/verifiers/mod.rs

sigstore_verification/verifiers/
mod.rs
