From c0ceb99ca851d1bf25d3b276b0e49da0e04ece8c Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Mon, 25 Mar 2024 11:31:26 -0600
Subject: [PATCH] add remote verification test

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 .github/workflows/go.yml                      |  5 ++-
 .../verify-remote-attestation.sh              | 35 +++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100755 test/integration/attestation-cmd/verify-remote-attestation.sh

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 7284a9e08..e2dd39ce4 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -59,5 +59,8 @@ jobs:
       - name: Build executable
         run: make
 
-      - name: Run attestation command integration Tests
+      - name: Run 'download and verify' integration test
         run: ./test/integration/attestation-cmd/download-and-verify-package-attestation.sh
+
+      - name: Run 'verify remote attestation' integration test
+        run: ./test/integration/attestation-cmd/verify-remote-attestation.sh
diff --git a/test/integration/attestation-cmd/verify-remote-attestation.sh b/test/integration/attestation-cmd/verify-remote-attestation.sh
new file mode 100755
index 000000000..6f78e42aa
--- /dev/null
+++ b/test/integration/attestation-cmd/verify-remote-attestation.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get the root directory of the repository
+rootDir="$(git rev-parse --show-toplevel)"
+
+ghBuildPath="$rootDir/bin/gh"
+
+# Compute the package and attestation URLs
+labRatPackageName="sigstore"
+latestPackageVersion=$(npm -s info $labRatPackageName dist-tags.latest | tr -d '\n')
+packageFile="$labRatPackageName-$latestPackageVersion.tgz"
+packageURL="https://registry.npmjs.org/$labRatPackageName/-/$packageFile"
+
+echo "Testing with package $packageFile"
+
+curl -s "$packageURL" -o "$packageFile"
+
+# Verify the package with the --owner flag
+if ! $ghBuildPath attestation verify "$packageFile" --digest-alg=sha512 --owner=sigstore; then
+    # cleanup test data
+    echo "Failed to verify package with --owner flag"
+    rm "$packageFile"
+    exit 1
+fi
+
+if ! $ghBuildPath attestation verify "$packageFile" --digest-alg=sha512 --repo=sigstore/sigstore-js; then
+    # cleanup test data
+    echo "Failed to verify package with --repo flag"
+    rm "$packageFile"
+    exit 1
+fi
+
+# cleanup test data
+rm "$packageFile"