add --verify-digest flag

Signed-off-by: Brian DeHamer <[email protected]>

Author: bdehamer

packages/cli/att.json

@@ -0,0 +1 @@
+{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIC0DCCAlagAwIBAgIUX2vg/1EgATbtMEaf/YbyaHz1HKQwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwMzA3MjA0MjQ0WhcNMjQwMzA3MjA1MjQ0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeqJuFoMyljW+GGB5SRBrR/YTv4+6Mfdr5YK/Yo+hTn45vQCAuEPWkmuoH0LI4AyWYKhoWtBmX9rZOCNSAwVPBaOCAXUwggFxMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUil8Vd48c2ZIMTWQxREQhilZdYZswHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERYnJpYW5AZGVoYW1lci5jb20wLAYKKwYBBAGDvzABAQQeaHR0cHM6Ly9naXRodWIuY29tL2xvZ2luL29hdXRoMC4GCisGAQQBg78wAQgEIAweaHR0cHM6Ly9naXRodWIuY29tL2xvZ2luL29hdXRoMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGOGqdxDwAABAMARzBFAiEAp4xcs8rhxkPFseCfj95qMHmPCd0CUYkFGkO0XP1pX20CIHMPqlwdzAQhdkBsqWMfjH8Vvj80h27IMtprlTq6c40KMAoGCCqGSM49BAMDA2gAMGUCMQDQ2YqX/MuTTwYCR560eWIhJxQd6zdEVBxAwEStNOYa34CrIcXiA4SCYWqC72XU6XYCMDVt911+n5Xo2t2pkFXnnuFHn7WeBAlOczO2pZ0mqt1Il2FpY/8uElY7554xDWJd0Q=="}]},"tlogEntries":[{"logIndex":"76417136","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1709844165","inclusionPromise":{"signedEntryTimestamp":"MEUCIEHUFPQDCZp35CVvJ/oR9uj84HQ/WCNHrqRRRtpzNQ4oAiEA7mGsa6Td3A86hZpIOhKpjoeB2JL7irmbM/SZRp9zD+U="},"inclusionProof":{"logIndex":"72253705","rootHash":"V0uoTOpbERdFo6kmsNJYDF14ZCI6HA30fJwFNK82D1k=","treeSize":"72253706","hashes":["6zxGGIIsJy6IJZ0GOgPZVVYeF2gK9MJKBRJshKRFBEA=","lnAhXzdIz9hzwWwwdGw4VwlfdxCKHDcgFvz4lhjIhms=","BmAfvdsJnshW8WM0GhVAnnLZeQbbQ7Ic+AWtbaLokGs=","juoHKu2JXCXK05wS7JCE+dt4T0xEhCO3uZOwQgDnpLk=","BCtyCVAyart6p0F9UhUXKvvjrDzTG2HM8zmynPWhEpU=","hGL2U0kv4o7ALM+KI6bbQHMholGa0NI0Y5gz7hPRTNk=","XE7+Pykrktsdsy1ru6V4IsFAOKTJosu3KUa0//TCa0w=","7Z18YLBAvejEV4nJHIKoks/xlijnhR005qTW2w4QtHg=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n72253706\nV0uoTOpbERdFo6kmsNJYDF14ZCI6HA30fJwFNK82D1k=\n\n— rekor.sigstore.dev wNI9ajBFAiB+fajbz1Cc2uMLBvlVi8OS4xtcu8O4AwXX3YANgwL/ggIhANtS4C31RRZI+FudKP75Pq0LkbGMN2PVD2yLfT6ivyI0\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU13UkVORFFXeGhaMEYzU1VKQlowbFZXREoyWnk4eFJXZEJWR0owVFVWaFppOVpZbmxoU0hveFNFdFJkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BSZDAxNlFUTk5ha0V3VFdwUk1GZG9ZMDVOYWxGM1RYcEJNMDFxUVRGTmFsRXdWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWbGNVcDFSbTlOZVd4cVZ5dEhSMEkxVTFKQ2NsSXZXVlIyTkNzMlRXWmtjalZaU3k4S1dXOHJhRlJ1TkRWMlVVTkJkVVZRVjJ0dGRXOUlNRXhKTkVGNVYxbExhRzlYZEVKdFdEbHlXazlEVGxOQmQxWlFRbUZQUTBGWVZYZG5aMFo0VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWcGJEaFdDbVEwT0dNeVdrbE5WRmRSZUZKRlVXaHBiRnBrV1ZwemQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQwaDNXVVJXVWpCU1FWRklMMEpDVlhkRk5FVlNXVzVLY0ZsWE5VRmFSMVp2V1ZjeGJHTnBOV3BpTWpCM1RFRlpTMHQzV1VKQ1FVZEVkbnBCUWdwQlVWRmxZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRESjRkbG95YkhWTU1qbG9aRmhTYjAxRE5FZERhWE5IUVZGUlFtYzNPSGRCVVdkRkNrbEJkMlZoU0ZJd1kwaE5Oa3g1T1c1aFdGSnZaRmRKZFZreU9YUk1NbmgyV2pKc2RVd3lPV2hrV0ZKdlRVbEhTMEpuYjNKQ1owVkZRV1JhTlVGblVVTUtRa2gzUldWblFqUkJTRmxCTTFRd2QyRnpZa2hGVkVwcVIxSTBZMjFYWXpOQmNVcExXSEpxWlZCTE15OW9OSEI1WjBNNGNEZHZORUZCUVVkUFIzRmtlQXBFZDBGQlFrRk5RVko2UWtaQmFVVkJjRFI0WTNNNGNtaDRhMUJHYzJWRFptbzVOWEZOU0cxUVEyUXdRMVZaYTBaSGEwOHdXRkF4Y0ZneU1FTkpTRTFRQ25Gc2QyUjZRVkZvWkd0Q2MzRlhUV1pxU0RoV2RtbzRNR2d5TjBsTmRIQnliRlJ4Tm1NME1FdE5RVzlIUTBOeFIxTk5ORGxDUVUxRVFUSm5RVTFIVlVNS1RWRkVVVEpaY1ZndlRYVlVWSGRaUTFJMU5qQmxWMGxvU25oUlpEWjZaRVZXUW5oQmQwVlRkRTVQV1dFek5FTnlTV05ZYVVFMFUwTlpWM0ZETnpKWVZRbzJXRmxEVFVSV2REa3hNU3R1TlZodk1uUXljR3RHV0c1dWRVWkliamRYWlVKQmJFOWplazh5Y0Zvd2JYRjBNVWxzTWtad1dTODRkVVZzV1RjMU5UUjRDa1JYU21Rd1VUMDlDaTB0TFMwdFJVNUVJRU5GVWxSSlJrbERRVlJGTFMwdExTMD0iLCJzaWciOiJUVVZWUTBsUlF6WjZkakJxY0hreVZrUlBTbWxXVVhNd1R6aDViV0ZaU2t4YVV5dEJaWFphYTJ0R05FSnJaVTFhVm1kSloyUktkbnB3TkV0UGVUYzBhamR5TmpWMWNFRm9XVTUyVlROUVVXMVJNRGQwTjFsYWRYWlBkVmN2T0RROSJ9XX0sImhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxYTcxYzYxYjE4YzExYTgwOGVjZjViY2IyNzRmZjFmNjZmM2UwMzIwMWI3ODM4YjY0MmExNmJmZDJhMzcxOWFlIn0sInBheWxvYWRIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiZWMwNWU0ZWQ2MTljZWFhNjU0YjIyNzAwNmIyMWM4ZGQyMTc1NjM1NDFjYTJhOTAwZDkyNTU1ZmYzOWI1MzFhNyJ9fX19"}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAiZGVoYW1lci5henVyZWNyLmlvL2dpdGh1Yi90cnVzdC1tZXRhZGF0YS1kZW1vIiwKICAgICAgImRpZ2VzdCI6IHsKICAgICAgICAic2hhMjU2IjogIjIxOTMyMDdhMjJkOGQ4ZDk3MzUxMmI0NmIxYzkyNWNmYmQyMDdmNmY0OTlhOGExZDZkNTJiNjY1MTkwZDc1YTgiCiAgICAgIH0KICAgIH0KICBdLAogICJwcmVkaWNhdGVUeXBlIjogImh0dHBzOi8vaW4tdG90by5pby9hdHRlc3RhdGlvbi9yZWxlYXNlL3YwLjEiLAogICJwcmVkaWNhdGUiOiB7CiAgICAicHVybCI6ICJwa2c6b2NpL3RydXN0LW1ldGFkYXRhLWRlbW9Ac2hhMjU2JTNBMjE5MzIwN2EyMmQ4ZDhkOTczNTEyYjQ2YjFjOTI1Y2ZiZDIwN2Y2ZjQ5OWE4YTFkNmQ1MmI2NjUxOTBkNzVhOD9yZXBvc2l0b3J5X3VybD1kZWhhbWVyLmF6dXJlY3IuaW8vZ2l0aHViL3RydXN0LW1ldGFkYXRhLWRlbW8iCiAgfQp9Cg==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIQC6zv0jpy2VDOJiVQs0O8ymaYJLZS+AevZkkF4BkeMZVgIgdJvzp4KOy74j7r65upAhYNvU3PQmQ07t7YZuvOuW/84=","keyid":""}]}}

packages/cli/multistmt

@@ -0,0 +1,21 @@
+{
+  "_type": "https://in-toto.io/Statement/v1",
+  "subject": [
+    {
+      "name": "dehamer.azurecr.io/github/trust-metadata-demo",
+      "digest": {
+        "sha256": "2193207a22d8d8d973512b46b1c925cfbd207f6f499a8a1d6d52b665190d75a8"
+      }
+    },
+    {
+      "name": "dehamer.azurecr.io/github/trust-metadata-demo2",
+      "digest": {
+        "sha256": "3193207a22d8d8d973512b46b1c925cfbd207f6f499a8a1d6d52b665190d75a8"
+      }
+    }
+  ],
+  "predicateType": "https://in-toto.io/attestation/release/v0.1",
+  "predicate": {
+    "purl": "pkg:oci/trust-metadata-demo@sha256%3A2193207a22d8d8d973512b46b1c925cfbd207f6f499a8a1d6d52b665190d75a8?repository_url=dehamer.azurecr.io/github/trust-metadata-demo"
+  }
+}

packages/cli/src/oauth/client.mts

@@ -0,0 +1,69 @@
+import { BaseClient, Issuer, generators } from 'openid-client';
+
+interface OAuthClientOptions {
+  issuer: string;
+  redirectURL: string;
+  clientID: string;
+  clientSecret?: string;
+}
+
+// Returns an openid Client instance configured by looking up
+// the issuer's configuration from the well-known endpoint.
+export async function initializeOAuthClient(
+  options: OAuthClientOptions
+): Promise<OAuthClient> {
+  const authMethod = options.clientSecret ? 'client_secret_basic' : 'none';
+  const client = await Issuer.discover(options.issuer).then(
+    (issuer) =>
+      new issuer.Client({
+        client_id: options.clientID,
+        client_secret: options.clientSecret,
+        token_endpoint_auth_method: authMethod,
+      })
+  );
+
+  return new OAuthClient(client, options.redirectURL);
+}
+
+// Wrapper around an openid-client Client instance to maintain
+// state for the authorization flow.
+class OAuthClient {
+  private client: BaseClient;
+  private redirectURL: string;
+  private verifier: string;
+  private nonce: string;
+  private state: string;
+
+  constructor(client: BaseClient, redirectURL: string) {
+    this.client = client;
+    this.redirectURL = redirectURL;
+    this.verifier = generators.codeVerifier(32);
+    this.nonce = generators.nonce(32);
+    this.state = generators.state(16);
+  }
+
+  get authorizationUrl(): string {
+    return this.client.authorizationUrl({
+      scope: 'openid email',
+      redirect_uri: this.redirectURL,
+      code_challenge: generators.codeChallenge(this.verifier),
+      code_challenge_method: 'S256',
+      state: this.state,
+      nonce: this.nonce,
+    });
+  }
+
+  public async getIDToken(callbackURL: string): Promise<string> {
+    const params = this.client.callbackParams(callbackURL);
+    return (
+      this.client
+        .callback(this.redirectURL, params, {
+          response_type: 'code',
+          code_verifier: this.verifier,
+          state: this.state,
+          nonce: this.nonce,
+        })
+        .then((tokenSet) => tokenSet.id_token!)
+    );
+  }
+}

packages/cli/stmt

@@ -0,0 +1,15 @@
+{
+  "_type": "https://in-toto.io/Statement/v1",
+  "subject": [
+    {
+      "name": "dehamer.azurecr.io/github/trust-metadata-demo",
+      "digest": {
+        "sha256": "2193207a22d8d8d973512b46b1c925cfbd207f6f499a8a1d6d52b665190d75a8"
+      }
+    }
+  ],
+  "predicateType": "https://in-toto.io/attestation/release/v0.1",
+  "predicate": {
+    "purl": "pkg:oci/trust-metadata-demo@sha256%3A2193207a22d8d8d973512b46b1c925cfbd207f6f499a8a1d6d52b665190d75a8?repository_url=dehamer.azurecr.io/github/trust-metadata-demo"
+  }
+}

packages/cli/stmt2

@@ -0,0 +1,15 @@
+{
+  "_type": "https://in-toto.io/Statement/v1",
+  "subject": [
+    {
+      "name": "art",
+      "digest": {
+        "sha256": "9b3b4549d391e31f4ef57b65c436db64683ab09090a54c77a64c1cd22a2f7a92"
+      }
+    }
+  ],
+  "predicateType": "https://in-toto.io/attestation/release/v0.1",
+  "predicate": {
+    "purl": "pkg:oci/trust-metadata-demo@sha256%3A2193207a22d8d8d973512b46b1c925cfbd207f6f499a8a1d6d52b665190d75a8?repository_url=dehamer.azurecr.io/github/trust-metadata-demo"
+  }
+}

packages/conformance/src/commands/verify-bundle.ts

@@ -44,6 +44,10 @@ export default class VerifyBundle extends Command {
       description: 'whether to use the staging environment',
       default: false,
     }),
+    'verify-digest': Flags.boolean({
+      description: 'whether to use the staging environment',
+      default: false,
+    }),
   };
 
   static override args = {