add remote verification test

Signed-off-by: Meredith Lancaster <malancas@github.com>

.github/workflows/go.yml

@@ -59,5 +59,8 @@ jobs:
       - name: Build executable
         run: make
 
-      - name: Run attestation command integration Tests
+      - name: Run 'download and verify' integration test
         run: ./test/integration/attestation-cmd/download-and-verify-package-attestation.sh
+
+      - name: Run 'verify remote attestation' integration test
+        run: ./test/integration/attestation-cmd/verify-remote-attestation.sh

test/integration/attestation-cmd/verify-remote-attestation.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get the root directory of the repository
+rootDir="$(git rev-parse --show-toplevel)"
+
+ghBuildPath="$rootDir/bin/gh"
+
+# Compute the package and attestation URLs
+labRatPackageName="sigstore"
+latestPackageVersion=$(npm -s info $labRatPackageName dist-tags.latest | tr -d '\n')
+packageFile="$labRatPackageName-$latestPackageVersion.tgz"
+packageURL="https://registry.npmjs.org/$labRatPackageName/-/$packageFile"
+
+echo "Testing with package $packageFile"
+
+curl -s "$packageURL" -o "$packageFile"
+
+# Verify the package with the --owner flag
+if ! $ghBuildPath attestation verify "$packageFile" --digest-alg=sha512 --owner=sigstore; then
+    # cleanup test data
+    echo "Failed to verify package with --owner flag"
+    rm "$packageFile"
+    exit 1
+fi
+
+if ! $ghBuildPath attestation verify "$packageFile" --digest-alg=sha512 --repo=sigstore/sigstore-js; then
+    # cleanup test data
+    echo "Failed to verify package with --repo flag"
+    rm "$packageFile"
+    exit 1
+fi
+
+# cleanup test data
+rm "$packageFile"