set provenance predicate type as default for predicate-type flag

Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-24 11:40:55 -06:00 · 2024-10-24 11:40:55 -06:00 · 4d57c79770
commit 4d57c79770
parent fc4d7e44fd
5 changed files with 48 additions and 19 deletions
--- a/pkg/cmd/attestation/verification/attestation.go
+++ b/pkg/cmd/attestation/verification/attestation.go
@ -15,6 +15,8 @@ import (
 	"github.com/sigstore/sigstore-go/pkg/bundle"
 )

+const SLSAPredicateType = "https://slsa.dev/provenance/v1"
+
 var ErrUnrecognisedBundleExtension = errors.New("bundle file extension not supported, must be json or jsonl")
 var ErrEmptyBundleFile = errors.New("provided bundle file is empty")

--- a/pkg/cmd/attestation/verification/mock_verifier.go
+++ b/pkg/cmd/attestation/verification/mock_verifier.go
@ -12,8 +12,6 @@ import (
 	"github.com/sigstore/sigstore-go/pkg/verify"
 )

-const SLSAPredicateType = "https://slsa.dev/provenance/v1"
-
 type MockSigstoreVerifier struct {
 	t *testing.T
 }
--- a/pkg/cmd/attestation/verification/sigstore.go
+++ b/pkg/cmd/attestation/verification/sigstore.go
@ -113,7 +113,7 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE
 					// issuer. We *must* use the trusted root provided.
 					if issuer == PublicGoodIssuerOrg {
 						if v.config.NoPublicGood {
-							return nil, "", fmt.Errorf("Detected public good instance but requested verification without public good instance")
+							return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance")
 						}
 						verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot)
 						if err != nil {
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@ -179,7 +179,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 	verifyCmd.Flags().StringVarP(&opts.Repo, "repo", "R", "", "Repository name in the format <owner>/<repo>")
 	verifyCmd.MarkFlagsMutuallyExclusive("owner", "repo")
 	verifyCmd.MarkFlagsOneRequired("owner", "repo")
-	verifyCmd.Flags().StringVarP(&opts.PredicateType, "predicate-type", "", "", "Filter attestations by provided predicate type")
+	verifyCmd.Flags().StringVarP(&opts.PredicateType, "predicate-type", "", verification.SLSAPredicateType, "Filter attestations by provided predicate type")
 	verifyCmd.Flags().BoolVarP(&opts.NoPublicGood, "no-public-good", "", false, "Do not verify attestations signed with Sigstore public good instance")
 	verifyCmd.Flags().StringVarP(&opts.TrustedRoot, "custom-trusted-root", "", "", "Path to a trusted_root.jsonl file; likely for offline verification")
 	verifyCmd.Flags().IntVarP(&opts.Limit, "limit", "L", api.DefaultLimit, "Maximum number of attestations to fetch")
--- a/pkg/cmd/attestation/verify/verify_test.go
+++ b/pkg/cmd/attestation/verify/verify_test.go
@ -70,11 +70,12 @@ func TestNewVerifyCmd(t *testing.T) {
 				ArtifactPath:     test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
 				BundlePath:       test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
 				DigestAlgorithm:  "sha384",
+				Hostname:         "github.com",
 				Limit:            30,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
+				PredicateType:    verification.SLSAPredicateType,
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "github.com",
 			},
 			wantsErr: true,
 		},
@ -85,12 +86,13 @@ func TestNewVerifyCmd(t *testing.T) {
 				ArtifactPath:     test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
 				BundlePath:       test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
 				DigestAlgorithm:  "sha256",
+				Hostname:         "github.com",
 				Limit:            30,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
+				PredicateType:    verification.SLSAPredicateType,
 				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "github.com",
 			},
 			wantsErr: false,
 		},
@ -101,12 +103,13 @@ func TestNewVerifyCmd(t *testing.T) {
 				ArtifactPath:     test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
 				BundlePath:       test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
 				DigestAlgorithm:  "sha256",
+				Hostname:         "foo.ghe.com",
 				Limit:            30,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
+				PredicateType:    verification.SLSAPredicateType,
 				SANRegex:         "(?i)^https://foo.ghe.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "foo.ghe.com",
 			},
 			wantsErr: false,
 		},
@ -117,12 +120,13 @@ func TestNewVerifyCmd(t *testing.T) {
 				ArtifactPath:     test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
 				BundlePath:       test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
 				DigestAlgorithm:  "sha256",
+				Hostname:         "foo.ghe.com",
 				Limit:            30,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
+				PredicateType:    verification.SLSAPredicateType,
 				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "foo.ghe.com",
 			},
 			wantsErr: true,
 		},
@ -133,12 +137,13 @@ func TestNewVerifyCmd(t *testing.T) {
 				ArtifactPath:     test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
 				BundlePath:       test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
 				DigestAlgorithm:  "sha512",
+				Hostname:         "github.com",
 				Limit:            30,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
+				PredicateType:    verification.SLSAPredicateType,
 				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "github.com",
 			},
 			wantsErr: false,
 		},
@ -148,12 +153,13 @@ func TestNewVerifyCmd(t *testing.T) {
 			wants: Options{
 				ArtifactPath:     test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
 				DigestAlgorithm:  "sha256",
+				Hostname:         "github.com",
+				Limit:            30,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
-				Limit:            30,
+				PredicateType:    verification.SLSAPredicateType,
 				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "github.com",
 			},
 			wantsErr: true,
 		},
@ -163,12 +169,13 @@ func TestNewVerifyCmd(t *testing.T) {
 			wants: Options{
 				ArtifactPath:     artifactPath,
 				DigestAlgorithm:  "sha256",
+				Hostname:         "github.com",
+				Limit:            30,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
+				PredicateType:    verification.SLSAPredicateType,
 				Repo:             "sigstore/sigstore-js",
-				Limit:            30,
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "github.com",
 			},
 			wantsErr: true,
 		},
@ -178,12 +185,13 @@ func TestNewVerifyCmd(t *testing.T) {
 			wants: Options{
 				ArtifactPath:     artifactPath,
 				DigestAlgorithm:  "sha256",
+				Hostname:         "github.com",
 				Limit:            30,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
+				PredicateType:    verification.SLSAPredicateType,
 				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "github.com",
 			},
 			wantsErr: false,
 		},
@ -193,12 +201,13 @@ func TestNewVerifyCmd(t *testing.T) {
 			wants: Options{
 				ArtifactPath:     artifactPath,
 				DigestAlgorithm:  "sha256",
+				Hostname:         "github.com",
+				Limit:            101,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
-				Limit:            101,
+				PredicateType:    verification.SLSAPredicateType,
 				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "github.com",
 			},
 			wantsErr: false,
 		},
@ -208,12 +217,13 @@ func TestNewVerifyCmd(t *testing.T) {
 			wants: Options{
 				ArtifactPath:     artifactPath,
 				DigestAlgorithm:  "sha256",
+				Hostname:         "github.com",
+				Limit:            0,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
-				Limit:            0,
+				PredicateType:    verification.SLSAPredicateType,
 				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "github.com",
 			},
 			wantsErr: true,
 		},
@ -223,13 +233,14 @@ func TestNewVerifyCmd(t *testing.T) {
 			wants: Options{
 				ArtifactPath:     artifactPath,
 				DigestAlgorithm:  "sha256",
+				Hostname:         "github.com",
 				Limit:            30,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
+				PredicateType:    verification.SLSAPredicateType,
 				SAN:              "https://github.com/sigstore/",
 				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
-				Hostname:         "github.com",
 			},
 			wantsErr: true,
 		},
@ -240,9 +251,27 @@ func TestNewVerifyCmd(t *testing.T) {
 				ArtifactPath:     artifactPath,
 				BundlePath:       bundlePath,
 				DigestAlgorithm:  "sha256",
+				Hostname:         "github.com",
 				Limit:            30,
 				OIDCIssuer:       verification.GitHubOIDCIssuer,
 				Owner:            "sigstore",
+				PredicateType:    verification.SLSAPredicateType,
+				SANRegex:         "(?i)^https://github.com/sigstore/",
+				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
+			},
+			wantsExporter: true,
+		},
+		{
+			name: "Use specified predicate type",
+			cli:  fmt.Sprintf("%s --bundle %s --owner sigstore --predicate-type https://spdx.dev/Document/v2.3 --format json", artifactPath, bundlePath),
+			wants: Options{
+				ArtifactPath:     artifactPath,
+				BundlePath:       bundlePath,
+				DigestAlgorithm:  "sha256",
+				Limit:            30,
+				OIDCIssuer:       verification.GitHubOIDCIssuer,
+				Owner:            "sigstore",
+				PredicateType:    "https://spdx.dev/Document/v2.3",
 				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
 				Hostname:         "github.com",