sigstore_verification/
lib.rs

1use std::path::Path;
2use thiserror::Error;
3
4pub mod api;
5pub mod bundle;
6pub mod sources;
7pub mod verifiers;
8pub mod verify;
9
10// Re-export commonly used types
11pub use api::{Attestation, AttestationClient, FetchParams};
12pub use bundle::{ParsedBundle, SlsaProvenance};
13pub use sources::{ArtifactRef, AttestationSource};
14pub use verifiers::{Policy, VerificationResult, Verifier};
15pub use verify::verify_attestations;
16
17#[derive(Debug, Error)]
18pub enum AttestationError {
19    #[error("API error: {0}")]
20    Api(String),
21
22    #[error("Verification failed: {0}")]
23    Verification(String),
24
25    #[error("No attestations found")]
26    NoAttestations,
27
28    #[error("Invalid digest format: {0}")]
29    InvalidDigest(String),
30
31    #[error("IO error: {0}")]
32    Io(#[from] std::io::Error),
33
34    #[error("HTTP error: {0}")]
35    Http(#[from] reqwest::Error),
36
37    #[error("JSON error: {0}")]
38    Json(#[from] serde_json::Error),
39
40    #[error("Sigstore error: {0}")]
41    Sigstore(String),
42}
43
44pub type Result<T> = std::result::Result<T, AttestationError>;
45
46// ===== Generic Verification Functions =====
47
48/// Verify an artifact using any source and verifier
49pub async fn verify_artifact(
50    artifact_path: &Path,
51    source: &dyn AttestationSource,
52    verifier: &dyn Verifier,
53    policy: Option<&Policy>,
54) -> Result<VerificationResult> {
55    let artifact_ref = ArtifactRef::from_path(artifact_path)?;
56    let attestations = source.fetch_attestations(&artifact_ref).await?;
57
58    if attestations.is_empty() {
59        return Err(AttestationError::NoAttestations);
60    }
61
62    // Parse the first attestation into a bundle
63    let bundle = bundle::parse_bundle(&attestations[0])?;
64
65    // Use provided policy or default
66    let default_policy = Policy::default();
67    let policy = policy.unwrap_or(&default_policy);
68
69    // Verify using the specified verifier
70    verifier.verify(&bundle, artifact_path, policy).await
71}
72
73/// Verify a Cosign signature or bundle from a file (keyless)
74pub async fn verify_cosign_signature(
75    artifact_path: &Path,
76    sig_or_bundle_path: &Path,
77) -> Result<bool> {
78    let source = sources::file::FileSource::new(sig_or_bundle_path);
79    let verifier = verifiers::cosign::CosignVerifier::new_keyless();
80
81    let result = verify_artifact(artifact_path, &source, &verifier, None).await?;
82
83    Ok(result.success)
84}
85
86/// Verify a Cosign signature using a public key
87pub async fn verify_cosign_signature_with_key(
88    artifact_path: &Path,
89    sig_or_bundle_path: &Path,
90    public_key_path: &Path,
91) -> Result<bool> {
92    let source = sources::file::FileSource::new(sig_or_bundle_path);
93    let verifier = verifiers::cosign::CosignVerifier::new_with_key_file(public_key_path).await?;
94
95    let result = verify_artifact(artifact_path, &source, &verifier, None).await?;
96
97    Ok(result.success)
98}
99
100/// Verify SLSA provenance from a file
101pub async fn verify_slsa_provenance(
102    artifact_path: &Path,
103    provenance_path: &Path,
104    min_level: u8,
105) -> Result<bool> {
106    let source = sources::file::FileSource::new(provenance_path);
107    let verifier = verifiers::slsa::SlsaVerifier::new(min_level);
108
109    let policy = Policy {
110        slsa_level: Some(min_level),
111        ..Default::default()
112    };
113
114    let result = verify_artifact(artifact_path, &source, &verifier, Some(&policy)).await?;
115
116    Ok(result.success)
117}
118
119// ===== Legacy GitHub-specific function (for backwards compatibility) =====
120
121/// Verify a GitHub artifact attestation
122///
123/// # Arguments
124/// * `artifact_path` - Path to the artifact file to verify
125/// * `owner` - GitHub organization or user that owns the repository
126/// * `repo` - Repository name (without owner)
127/// * `token` - Optional GitHub token for API authentication
128/// * `signer_workflow` - Optional workflow path to verify against
129pub async fn verify_github_attestation(
130    artifact_path: &Path,
131    owner: &str,
132    repo: &str,
133    token: Option<&str>,
134    signer_workflow: Option<&str>,
135) -> Result<bool> {
136    // Calculate artifact digest
137    let digest = calculate_file_digest(artifact_path)?;
138
139    // Create API client
140    let client = AttestationClient::new(token)?;
141
142    // Fetch attestations from GitHub
143    let params = FetchParams {
144        owner: owner.to_string(),
145        repo: Some(format!("{}/{}", owner, repo)),
146        digest: format!("sha256:{}", digest),
147        limit: 30,
148        predicate_type: Some("https://slsa.dev/provenance/v1".to_string()),
149    };
150
151    let attestations = client.fetch_attestations(params).await?;
152
153    if attestations.is_empty() {
154        return Err(AttestationError::NoAttestations);
155    }
156
157    // Verify attestations
158    verify::verify_attestations(&attestations, artifact_path, signer_workflow).await?;
159
160    Ok(true)
161}
162
163pub fn calculate_file_digest(path: &Path) -> Result<String> {
164    use sha2::{Digest, Sha256};
165    use std::fs::File;
166    use std::io::Read;
167
168    let mut file = File::open(path)?;
169    let mut hasher = Sha256::new();
170    let mut buffer = [0; 8192];
171
172    loop {
173        let bytes_read = file.read(&mut buffer)?;
174        if bytes_read == 0 {
175            break;
176        }
177        hasher.update(&buffer[..bytes_read]);
178    }
179
180    Ok(hex::encode(hasher.finalize()))
181}
sigstore_verification/lib.rs

sigstore_verification/
lib.rs
