From 5787fef7b4d2f69918e967966453524d1dd7123f Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Thu, 14 Mar 2024 19:01:16 -0600
Subject: [PATCH] start adding sigstore verifier unit tests

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/cmd/attestation/inspect/inspect_test.go   |  1 -
 .../attestation/verification/sigstore_test.go | 50 +++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 pkg/cmd/attestation/verification/sigstore_test.go

diff --git a/pkg/cmd/attestation/inspect/inspect_test.go b/pkg/cmd/attestation/inspect/inspect_test.go
index 981cba810..8296b8e56 100644
--- a/pkg/cmd/attestation/inspect/inspect_test.go
+++ b/pkg/cmd/attestation/inspect/inspect_test.go
@@ -167,7 +167,6 @@ func TestRunInspect(t *testing.T) {
 		err := runInspect(&customOpts)
 		require.Error(t, err)
 		require.ErrorContains(t, err, "at least one attestation failed to verify")
-		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\"")
 	})
 
 	t.Run("with valid artifact and JSON lines file containing multiple bundles", func(t *testing.T) {
diff --git a/pkg/cmd/attestation/verification/sigstore_test.go b/pkg/cmd/attestation/verification/sigstore_test.go
new file mode 100644
index 000000000..8d681b9f5
--- /dev/null
+++ b/pkg/cmd/attestation/verification/sigstore_test.go
@@ -0,0 +1,50 @@
+package verification
+
+import (
+	"testing"
+
+	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact"
+	"github.com/cli/cli/v2/pkg/cmd/attestation/logging"
+	"github.com/cli/cli/v2/pkg/cmd/attestation/test"
+
+	"github.com/sigstore/sigstore-go/pkg/verify"
+	"github.com/stretchr/testify/require"
+)
+
+func buildPolicy(a artifact.DigestedArtifact) (verify.PolicyBuilder, error) {
+	artifactDigestPolicyOption, err := BuildDigestPolicyOption(a)
+	if err != nil {
+		return verify.PolicyBuilder{}, err
+	}
+
+	policy := verify.NewPolicy(artifactDigestPolicyOption, verify.WithoutIdentitiesUnsafe())
+	return policy, nil
+}
+
+func TestNewSigstoreVerifier(t *testing.T) {
+	artifactPath := test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz")
+
+	t.Run("with invalid signature", func(t *testing.T) {
+		artifact, err := artifact.NewDigestedArtifact(nil, artifactPath, "sha512")
+		require.NoError(t, err)
+
+		bundlePath := test.NormalizeRelativePath("../test/data/sigstoreBundle-invalid-signature.json")
+		attestations, err := GetLocalAttestations(bundlePath)
+		require.NotNil(t, attestations)
+		require.NoError(t, err)
+
+		policy, err := buildPolicy(*artifact)
+		require.NoError(t, err)
+
+		c := SigstoreConfig{
+			Logger: logging.NewTestLogger(),
+		}
+		verifier, err := NewSigstoreVerifier(c, policy)
+		require.NoError(t, err)
+
+		res := verifier.Verify(attestations)
+		require.Error(t, res.Error)
+		require.ErrorContains(t, res.Error, "verifying with issuer \"sigstore.dev\"")
+		require.Nil(t, res.VerifyResults)
+	})
+}