sigstore_verification/sources/
oci.rs

1use crate::api::Attestation;
2use crate::sources::{ArtifactRef, AttestationSource};
3use crate::{AttestationError, Result};
4use async_trait::async_trait;
5
6/// OCI registry source for fetching attestations from container registries
7/// This follows the Cosign attachment specification
8pub struct OciSource {
9    #[allow(dead_code)]
10    registry_url: String,
11    // TODO: Add OCI client configuration
12}
13
14impl OciSource {
15    pub fn new(registry_url: impl Into<String>) -> Self {
16        Self {
17            registry_url: registry_url.into(),
18        }
19    }
20}
21
22#[async_trait]
23impl AttestationSource for OciSource {
24    async fn fetch_attestations(&self, _artifact: &ArtifactRef) -> Result<Vec<Attestation>> {
25        // TODO: Implement OCI registry attestation fetching
26        // This would:
27        // 1. Connect to the OCI registry
28        // 2. Look for attestations attached to the artifact digest
29        // 3. Download and parse the attestation bundles
30        Err(AttestationError::Verification(
31            "OCI source not yet implemented".into(),
32        ))
33    }
34
35    fn source_type(&self) -> &'static str {
36        "OCI"
37    }
38}
sigstore_verification/sources/oci.rs

sigstore_verification/sources/
oci.rs
