diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 40683d917..5d39bf3af 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -5,6 +5,10 @@ internal/codespaces/ @cli/codespaces # Limit Package Security team ownership to the attestation command package and related integration tests pkg/cmd/attestation/ @cli/package-security +pkg/cmd/release/attestation @cli/package-security +pkg/cmd/release/verify @cli/package-security +pkg/cmd/release/verify-asset @cli/package-security + test/integration/attestation-cmd @cli/package-security pkg/cmd/attestation/verification/embed/tuf-repo.github.com/ @cli/tuf-root-reviewers diff --git a/pkg/cmd/attestation/api/mock_client.go b/pkg/cmd/attestation/api/mock_client.go index b6062b39f..4b4f06eff 100644 --- a/pkg/cmd/attestation/api/mock_client.go +++ b/pkg/cmd/attestation/api/mock_client.go @@ -6,6 +6,13 @@ import ( "github.com/cli/cli/v2/pkg/cmd/attestation/test/data" ) +func makeTestReleaseAttestation() Attestation { + return Attestation{ + Bundle: data.GitHubReleaseBundle(nil), + BundleURL: "https://example.com", + } +} + func makeTestAttestation() Attestation { return Attestation{Bundle: data.SigstoreBundle(nil), BundleURL: "https://example.com"} } @@ -26,8 +33,12 @@ func (m MockClient) GetTrustDomain() (string, error) { func OnGetByDigestSuccess(params FetchParams) ([]*Attestation, error) { att1 := makeTestAttestation() att2 := makeTestAttestation() + att3 := makeTestReleaseAttestation() attestations := []*Attestation{&att1, &att2} if params.PredicateType != "" { + if params.PredicateType == "https://in-toto.io/attestation/release/v0.1" { + attestations = append(attestations, &att3) + } return FilterAttestations(params.PredicateType, attestations) } diff --git a/pkg/cmd/attestation/artifact/artifact.go b/pkg/cmd/attestation/artifact/artifact.go index 131785166..9d8125450 100644 --- a/pkg/cmd/attestation/artifact/artifact.go +++ b/pkg/cmd/attestation/artifact/artifact.go @@ -54,6 +54,13 @@ func normalizeReference(reference string, pathSeparator rune) (normalized string return filepath.Clean(reference), fileArtifactType, nil } +func NewDigestedArtifactForRelease(digest string, digestAlg string) (artifact *DigestedArtifact) { + return &DigestedArtifact{ + digest: digest, + digestAlg: digestAlg, + } +} + func NewDigestedArtifact(client oci.Client, reference, digestAlg string) (artifact *DigestedArtifact, err error) { normalized, artifactType, err := normalizeReference(reference, os.PathSeparator) if err != nil { diff --git a/pkg/cmd/attestation/artifact/file.go b/pkg/cmd/attestation/artifact/file.go index 789a92a5d..237a9bbf7 100644 --- a/pkg/cmd/attestation/artifact/file.go +++ b/pkg/cmd/attestation/artifact/file.go @@ -10,7 +10,7 @@ import ( func digestLocalFileArtifact(filename, digestAlg string) (*DigestedArtifact, error) { data, err := os.Open(filename) if err != nil { - return nil, fmt.Errorf("failed to get open local artifact: %v", err) + return nil, fmt.Errorf("failed to open local artifact: %v", err) } defer data.Close() digest, err := digest.CalculateDigestWithAlgorithm(data, digestAlg) diff --git a/pkg/cmd/attestation/artifact/file_test.go b/pkg/cmd/attestation/artifact/file_test.go new file mode 100644 index 000000000..54768e93e --- /dev/null +++ b/pkg/cmd/attestation/artifact/file_test.go @@ -0,0 +1,23 @@ +package artifact + +import ( + "testing" + + "github.com/cli/cli/v2/pkg/cmd/attestation/test" + "github.com/stretchr/testify/require" +) + +func Test_digestLocalFileArtifact_withRealZip(t *testing.T) { + // Path to the test artifact + artifactPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip") + + // Calculate expected digest using the same algorithm as the function under test + expectedDigest := "e15b593c6ab8d7725a3cc82226ef816cac6bf9c70eed383bd459295cc65f5ec3" + + // Call the function under test + artifact, err := digestLocalFileArtifact(artifactPath, "sha256") + require.NoError(t, err) + require.Equal(t, "file://"+artifactPath, artifact.URL) + require.Equal(t, expectedDigest, artifact.digest) + require.Equal(t, "sha256", artifact.digestAlg) +} diff --git a/pkg/cmd/attestation/test/data/data.go b/pkg/cmd/attestation/test/data/data.go index ef3c35c20..223d6f22e 100644 --- a/pkg/cmd/attestation/test/data/data.go +++ b/pkg/cmd/attestation/test/data/data.go @@ -10,6 +10,9 @@ import ( //go:embed sigstore-js-2.1.0-bundle.json var SigstoreBundleRaw []byte +//go:embed github_release_bundle.json +var GitHubReleaseBundleRaw []byte + // SigstoreBundle returns a test sigstore-go bundle.Bundle func SigstoreBundle(t *testing.T) *bundle.Bundle { b := &bundle.Bundle{} @@ -19,3 +22,12 @@ func SigstoreBundle(t *testing.T) *bundle.Bundle { } return b } + +func GitHubReleaseBundle(t *testing.T) *bundle.Bundle { + b := &bundle.Bundle{} + err := b.UnmarshalJSON(GitHubReleaseBundleRaw) + if err != nil { + t.Fatalf("failed to unmarshal GitHub release bundle: %v", err) + } + return b +} diff --git a/pkg/cmd/attestation/test/data/github_release_artifact.zip b/pkg/cmd/attestation/test/data/github_release_artifact.zip new file mode 100644 index 000000000..a4d222eb9 Binary files /dev/null and b/pkg/cmd/attestation/test/data/github_release_artifact.zip differ diff --git a/pkg/cmd/attestation/test/data/github_release_artifact_invalid.zip b/pkg/cmd/attestation/test/data/github_release_artifact_invalid.zip new file mode 100644 index 000000000..fcdda88fe Binary files /dev/null and b/pkg/cmd/attestation/test/data/github_release_artifact_invalid.zip differ diff --git a/pkg/cmd/attestation/test/data/github_release_bundle.json b/pkg/cmd/attestation/test/data/github_release_bundle.json new file mode 100644 index 000000000..8ca506dcb --- /dev/null +++ b/pkg/cmd/attestation/test/data/github_release_bundle.json @@ -0,0 +1,24 @@ +{ + "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", + "verificationMaterial": { + "timestampVerificationData": { + "rfc3161Timestamps": [ + { + "signedTimestamp": "MIIC0DADAgEAMIICxwYJKoZIhvcNAQcCoIICuDCCArQCAQMxDTALBglghkgBZQMEAgIwgbwGCyqGSIb3DQEJEAEEoIGsBIGpMIGmAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQg1c3kQQpo4Adf2E+nx78lNg8EjRSLpIRERpPF0HIavogCFQCOfZuxr0DOc1LsM+y+sjQCMFrtbxgPMjAyNTA1MzAyMDEzMzlaMAMCAQGgNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIFRpbWVzdGFtcGluZ6AAMYIB3TCCAdkCAQEwSjAyMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xGTAXBgNVBAMTEFRTQSBpbnRlcm1lZGlhdGUCFB+7MIjE5/rL4XA4fNDnmXHA04+wMAsGCWCGSAFlAwQCAqCCAQUwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNTA1MzAyMDEzMzlaMD8GCSqGSIb3DQEJBDEyBDDkw1fXMZ6l/uWne+PcdzhLl2ckTZftcUuHcnYCwjhyYMeGOcgbpNNMDem46JCxItwwgYcGCyqGSIb3DQEJEAIvMXgwdjB0MHIEIHuISsKSyiJtlhGjT+RyS+tYQ7iwCMsMCTGmz2NK3D7DME4wNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIGludGVybWVkaWF0ZQIUH7swiMTn+svhcDh80OeZccDTj7AwCgYIKoZIzj0EAwMEZjBkAjBhE76zis18/xOtQdx6rJUuaRoZCflXHCjH6BqEk1B29r9C8STztZhAKalXL+Wy4rsCMFFaGPKF1uOl5JADiKMg5/7chJbWrfwyO9oa0tbmvcGrtBCdFeJ1Ic0tIi1sOVvq5Q==" + } + ] + }, + "certificate": { + "rawBytes": "MIICKjCCAbCgAwIBAgIUaa62dj98DUB+TpyvKtVaR4vGSM0wCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwxMB4XDTI1MDMxMDE1MDMwMloXDTI2MDMxMDE1MDMwMlowKjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMREwDwYDVQQDEwhBdHRlc3RlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIMB7plPnZvBRlC2lvAocKTAqAPMJqstEqYk26e9vDJDC1yqoiHxZfPV4W/1RqUMZD1dFKm9t4RiSmm73/QnQKajgaUwgaIwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOqaGpr5SbdYk5CQXsmmDZCBHR+XMB8GA1UdIwQYMBaAFMDhuFKkS08+3no4EQbPSY6hRZszMC0GA1UdEQQmMCSGImh0dHBzOi8vZG90Y29tLnJlbGVhc2VzLmdpdGh1Yi5jb20wCgYIKoZIzj0EAwMDaAAwZQIwWFdF6xcXazHVPHEAtd1SeaizLdY1erRl5hK+XlwhfpnasQHHZ9bdu4Zj8ARhW/AhAjEArujhmJGo7Fi4/Ek1RN8bufs6UhIQneQd/pxE8QdorwZkj2C8nf2EzrUYzlxKfktC" + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCAic3ViamVjdCI6W3sidXJpIjoicGtnOmdpdGh1Yi9iZGVoYW1lci9kZWxtZUB2NiIsICJkaWdlc3QiOnsic2hhMSI6ImM1ZTE3YTYyZTA2YTFkMjAxNTcwMjQ5YzYxZmFlNTMxZTkyNDRlMWIifX0sIHsibmFtZSI6ImFydGlmYWN0LnppcCIsICJkaWdlc3QiOnsic2hhMjU2IjoiZTE1YjU5M2M2YWI4ZDc3MjVhM2NjODIyMjZlZjgxNmNhYzZiZjljNzBlZWQzODNiZDQ1OTI5NWNjNjVmNWVjMyJ9fV0sICJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9pbi10b3RvLmlvL2F0dGVzdGF0aW9uL3JlbGVhc2UvdjAuMSIsICJwcmVkaWNhdGUiOnsib3duZXJJZCI6IjM5ODAyNyIsICJwdXJsIjoicGtnOmdpdGh1Yi9iZGVoYW1lci9kZWxtZUB2NiIsICJyZWxlYXNlSWQiOiIyMjIxNTg2NzEiLCAicmVwb3NpdG9yeSI6ImJkZWhhbWVyL2RlbG1lIiwgInJlcG9zaXRvcnlJZCI6IjkwNTk4ODA0NCIsICJ0YWciOiJ2NiJ9fQ==", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEUCIGq+T2g2gV2+lcmgyCaVPrjO1tj86RxitwiEOjU5dH/GAiEAvKaT/7H0sIVdAY7EzLq1IFaF8LmlW6eV68eZQvtuA0c=" + } + ] + } +} \ No newline at end of file diff --git a/pkg/cmd/release/release.go b/pkg/cmd/release/release.go index 6805b09eb..f56042c81 100644 --- a/pkg/cmd/release/release.go +++ b/pkg/cmd/release/release.go @@ -8,6 +8,8 @@ import ( cmdUpdate "github.com/cli/cli/v2/pkg/cmd/release/edit" cmdList "github.com/cli/cli/v2/pkg/cmd/release/list" cmdUpload "github.com/cli/cli/v2/pkg/cmd/release/upload" + cmdVerify "github.com/cli/cli/v2/pkg/cmd/release/verify" + cmdVerifyAsset "github.com/cli/cli/v2/pkg/cmd/release/verify-asset" cmdView "github.com/cli/cli/v2/pkg/cmd/release/view" "github.com/cli/cli/v2/pkg/cmdutil" "github.com/spf13/cobra" @@ -34,6 +36,8 @@ func NewCmdRelease(f *cmdutil.Factory) *cobra.Command { cmdDownload.NewCmdDownload(f, nil), cmdDelete.NewCmdDelete(f, nil), cmdDeleteAsset.NewCmdDeleteAsset(f, nil), + cmdVerify.NewCmdVerify(f, nil), + cmdVerifyAsset.NewCmdVerifyAsset(f, nil), ) return cmd diff --git a/pkg/cmd/release/shared/attestation.go b/pkg/cmd/release/shared/attestation.go new file mode 100644 index 000000000..4e0377fed --- /dev/null +++ b/pkg/cmd/release/shared/attestation.go @@ -0,0 +1,128 @@ +package shared + +import ( + "fmt" + "net/http" + + "github.com/cli/cli/v2/pkg/cmd/attestation/api" + "github.com/cli/cli/v2/pkg/cmd/attestation/artifact" + att_io "github.com/cli/cli/v2/pkg/cmd/attestation/io" + "github.com/cli/cli/v2/pkg/cmd/attestation/test/data" + "github.com/cli/cli/v2/pkg/cmd/attestation/verification" + "github.com/cli/cli/v2/pkg/iostreams" + "github.com/sigstore/sigstore-go/pkg/fulcio/certificate" + "github.com/sigstore/sigstore-go/pkg/verify" + + v1 "github.com/in-toto/attestation/go/v1" + "google.golang.org/protobuf/encoding/protojson" +) + +const ReleasePredicateType = "https://in-toto.io/attestation/release/v0.1" + +type Verifier interface { + // VerifyAttestation verifies the attestation for a given artifact + VerifyAttestation(art *artifact.DigestedArtifact, att *api.Attestation) (*verification.AttestationProcessingResult, error) +} + +type AttestationVerifier struct { + AttClient api.Client + HttpClient *http.Client + IO *iostreams.IOStreams +} + +func (v *AttestationVerifier) VerifyAttestation(art *artifact.DigestedArtifact, att *api.Attestation) (*verification.AttestationProcessingResult, error) { + td, err := v.AttClient.GetTrustDomain() + if err != nil { + return nil, err + } + + verifier, err := verification.NewLiveSigstoreVerifier(verification.SigstoreConfig{ + HttpClient: v.HttpClient, + Logger: att_io.NewHandler(v.IO), + NoPublicGood: true, + TrustDomain: td, + }) + if err != nil { + return nil, err + } + + policy := buildVerificationPolicy(*art) + sigstoreVerified, err := verifier.Verify([]*api.Attestation{att}, policy) + if err != nil { + return nil, err + } + + return sigstoreVerified[0], nil +} + +func FilterAttestationsByTag(attestations []*api.Attestation, tagName string) ([]*api.Attestation, error) { + var filtered []*api.Attestation + for _, att := range attestations { + statement := att.Bundle.Bundle.GetDsseEnvelope().Payload + var statementData v1.Statement + err := protojson.Unmarshal([]byte(statement), &statementData) + if err != nil { + return nil, fmt.Errorf("failed to unmarshal statement: %w", err) + } + tagValue := statementData.Predicate.GetFields()["tag"].GetStringValue() + + if tagValue == tagName { + filtered = append(filtered, att) + } + } + return filtered, nil +} + +func FilterAttestationsByFileDigest(attestations []*api.Attestation, fileDigest string) ([]*api.Attestation, error) { + var filtered []*api.Attestation + for _, att := range attestations { + statement := att.Bundle.Bundle.GetDsseEnvelope().Payload + var statementData v1.Statement + err := protojson.Unmarshal([]byte(statement), &statementData) + + if err != nil { + return nil, fmt.Errorf("failed to unmarshal statement: %w", err) + } + subjects := statementData.Subject + for _, subject := range subjects { + digestMap := subject.GetDigest() + alg := "sha256" + + digest := digestMap[alg] + if digest == fileDigest { + filtered = append(filtered, att) + } + } + + } + return filtered, nil +} + +// buildVerificationPolicy constructs a verification policy for GitHub releases +func buildVerificationPolicy(a artifact.DigestedArtifact) verify.PolicyBuilder { + // SAN must match the GitHub releases domain. No issuer extension (match anything) + sanMatcher, _ := verify.NewSANMatcher("", "^https://.*\\.releases\\.github\\.com$") + issuerMatcher, _ := verify.NewIssuerMatcher("", ".*") + certId, _ := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, certificate.Extensions{}) + + artifactDigestPolicyOption, _ := verification.BuildDigestPolicyOption(a) + return verify.NewPolicy(artifactDigestPolicyOption, verify.WithCertificateIdentity(certId)) +} + +type MockVerifier struct { + mockResult *verification.AttestationProcessingResult +} + +func NewMockVerifier(mockResult *verification.AttestationProcessingResult) *MockVerifier { + return &MockVerifier{mockResult: mockResult} +} + +func (v *MockVerifier) VerifyAttestation(art *artifact.DigestedArtifact, att *api.Attestation) (*verification.AttestationProcessingResult, error) { + return &verification.AttestationProcessingResult{ + Attestation: &api.Attestation{ + Bundle: data.GitHubReleaseBundle(nil), + BundleURL: "https://example.com", + }, + VerificationResult: nil, + }, nil +} diff --git a/pkg/cmd/release/shared/fetch.go b/pkg/cmd/release/shared/fetch.go index 4c0a014b9..322f33c17 100644 --- a/pkg/cmd/release/shared/fetch.go +++ b/pkg/cmd/release/shared/fetch.go @@ -133,6 +133,41 @@ type fetchResult struct { error error } +func FetchRefSHA(ctx context.Context, httpClient *http.Client, repo ghrepo.Interface, tagName string) (string, error) { + path := fmt.Sprintf("repos/%s/%s/git/refs/tags/%s", repo.RepoOwner(), repo.RepoName(), tagName) + req, err := http.NewRequestWithContext(ctx, "GET", ghinstance.RESTPrefix(repo.RepoHost())+path, nil) + if err != nil { + return "", err + } + + resp, err := httpClient.Do(req) + if err != nil { + return "", err + } + defer resp.Body.Close() + + if resp.StatusCode == http.StatusNotFound { + _, _ = io.Copy(io.Discard, resp.Body) + // ErrRefNotFound + return "", ErrReleaseNotFound + } + + if resp.StatusCode > 299 { + return "", api.HandleHTTPError(resp) + } + + var ref struct { + Object struct { + SHA string `json:"sha"` + } `json:"object"` + } + if err := json.NewDecoder(resp.Body).Decode(&ref); err != nil { + return "", err + } + + return ref.Object.SHA, nil +} + // FetchRelease finds a published repository release by its tagName, or a draft release by its pending tag name. func FetchRelease(ctx context.Context, httpClient *http.Client, repo ghrepo.Interface, tagName string) (*Release, error) { cc, cancel := context.WithCancel(ctx) @@ -213,7 +248,7 @@ func fetchReleasePath(ctx context.Context, httpClient *http.Client, host string, } defer resp.Body.Close() - if resp.StatusCode == 404 { + if resp.StatusCode == http.StatusNotFound { _, _ = io.Copy(io.Discard, resp.Body) return nil, ErrReleaseNotFound } else if resp.StatusCode > 299 { @@ -248,3 +283,11 @@ func StubFetchRelease(t *testing.T, reg *httpmock.Registry, owner, repoName, tag ) } } + +func StubFetchRefSHA(t *testing.T, reg *httpmock.Registry, owner, repoName, tagName, sha string) { + path := fmt.Sprintf("repos/%s/%s/git/refs/tags/%s", owner, repoName, tagName) + reg.Register( + httpmock.REST("GET", path), + httpmock.StringResponse(fmt.Sprintf(`{"object": {"sha": "%s"}}`, sha)), + ) +} diff --git a/pkg/cmd/release/verify-asset/verify_asset.go b/pkg/cmd/release/verify-asset/verify_asset.go new file mode 100644 index 000000000..2b66f3502 --- /dev/null +++ b/pkg/cmd/release/verify-asset/verify_asset.go @@ -0,0 +1,211 @@ +package verifyasset + +import ( + "context" + "fmt" + "net/http" + "path/filepath" + + "github.com/cli/cli/v2/pkg/iostreams" + + "github.com/cli/cli/v2/internal/ghrepo" + "github.com/cli/cli/v2/pkg/cmd/attestation/api" + "github.com/cli/cli/v2/pkg/cmd/attestation/artifact" + att_io "github.com/cli/cli/v2/pkg/cmd/attestation/io" + "github.com/cli/cli/v2/pkg/cmd/release/shared" + + "github.com/MakeNowJust/heredoc" + "github.com/cli/cli/v2/pkg/cmdutil" + "github.com/spf13/cobra" +) + +type VerifyAssetOptions struct { + TagName string + BaseRepo ghrepo.Interface + Exporter cmdutil.Exporter + AssetFilePath string +} + +type VerifyAssetConfig struct { + HttpClient *http.Client + IO *iostreams.IOStreams + Opts *VerifyAssetOptions + AttClient api.Client + AttVerifier shared.Verifier +} + +func NewCmdVerifyAsset(f *cmdutil.Factory, runF func(*VerifyAssetConfig) error) *cobra.Command { + opts := &VerifyAssetOptions{} + + cmd := &cobra.Command{ + Use: "verify-asset [] ", + Short: "Verify that a given asset originated from a specific GitHub Release.", + Long: heredoc.Doc(` + Verify that a given asset file originated from a specific GitHub Release using cryptographically signed attestations. + + ## Understanding Verification + + An attestation is a claim made by GitHub regarding a release and its assets. + + ## What This Command Does + + This command checks that the asset you provide matches an attestation produced by GitHub for a particular release. + It ensures the asset's integrity by validating: + * The asset's digest matches the subject in the attestation + * The attestation is associated with the specified release + `), + Hidden: true, + Args: cobra.MaximumNArgs(2), + Example: heredoc.Doc(` + # Verify an asset from the latest release + $ gh release verify-asset ./dist/my-asset.zip + + # Verify an asset from a specific release tag + $ gh release verify-asset v1.2.3 ./dist/my-asset.zip + + # Verify an asset from a specific release tag and output the attestation in JSON format + $ gh release verify-asset v1.2.3 ./dist/my-asset.zip --format json + `), + RunE: func(cmd *cobra.Command, args []string) error { + if len(args) == 2 { + opts.TagName = args[0] + opts.AssetFilePath = args[1] + } else if len(args) == 1 { + opts.AssetFilePath = args[0] + } else { + return cmdutil.FlagErrorf("you must specify an asset filepath") + } + + opts.AssetFilePath = filepath.Clean(opts.AssetFilePath) + + baseRepo, err := f.BaseRepo() + if err != nil { + return fmt.Errorf("failed to determine base repository: %w", err) + } + opts.BaseRepo = baseRepo + + httpClient, err := f.HttpClient() + if err != nil { + return err + } + + io := f.IOStreams + attClient := api.NewLiveClient(httpClient, baseRepo.RepoHost(), att_io.NewHandler(io)) + + attVerifier := &shared.AttestationVerifier{ + AttClient: attClient, + HttpClient: httpClient, + IO: io, + } + + config := &VerifyAssetConfig{ + Opts: opts, + HttpClient: httpClient, + AttClient: attClient, + AttVerifier: attVerifier, + IO: io, + } + + if runF != nil { + return runF(config) + } + + return verifyAssetRun(config) + }, + } + cmdutil.AddFormatFlags(cmd, &opts.Exporter) + + return cmd +} + +func verifyAssetRun(config *VerifyAssetConfig) error { + ctx := context.Background() + opts := config.Opts + baseRepo := opts.BaseRepo + tagName := opts.TagName + + if tagName == "" { + release, err := shared.FetchLatestRelease(ctx, config.HttpClient, baseRepo) + if err != nil { + return err + } + tagName = release.TagName + } + + fileName := getFileName(opts.AssetFilePath) + + // Calculate the digest of the file + fileDigest, err := artifact.NewDigestedArtifact(nil, opts.AssetFilePath, "sha256") + if err != nil { + return err + } + + ref, err := shared.FetchRefSHA(ctx, config.HttpClient, baseRepo, tagName) + if err != nil { + return err + } + + releaseRefDigest := artifact.NewDigestedArtifactForRelease(ref, "sha1") + + // Find attestations for the release tag SHA + attestations, err := config.AttClient.GetByDigest(api.FetchParams{ + Digest: releaseRefDigest.DigestWithAlg(), + PredicateType: shared.ReleasePredicateType, + Owner: baseRepo.RepoOwner(), + Repo: baseRepo.RepoOwner() + "/" + baseRepo.RepoName(), + // TODO: Allow this value to be set via a flag. + // The limit is set to 100 to ensure we fetch all attestations for a given SHA. + // While multiple attestations can exist for a single SHA, + // only one attestation is associated with each release tag. + Limit: 100, + }) + if err != nil { + return fmt.Errorf("no attestations found for tag %s (%s)", tagName, releaseRefDigest.DigestWithAlg()) + } + + // Filter attestations by tag name + filteredAttestations, err := shared.FilterAttestationsByTag(attestations, opts.TagName) + if err != nil { + return fmt.Errorf("error parsing attestations for tag %s: %w", tagName, err) + } + + if len(filteredAttestations) == 0 { + return fmt.Errorf("no attestations found for release %s in %s/%s", tagName, baseRepo.RepoOwner(), baseRepo.RepoName()) + } + + // Filter attestations by subject digest + filteredAttestations, err = shared.FilterAttestationsByFileDigest(filteredAttestations, fileDigest.Digest()) + if err != nil { + return fmt.Errorf("error parsing attestations for digest %s: %w", fileDigest.DigestWithAlg(), err) + } + + if len(filteredAttestations) == 0 { + return fmt.Errorf("attestation for %s does not contain subject %s", tagName, fileDigest.DigestWithAlg()) + } + + // Verify attestation + verified, err := config.AttVerifier.VerifyAttestation(releaseRefDigest, filteredAttestations[0]) + if err != nil { + return fmt.Errorf("failed to verify attestation for tag %s: %w", tagName, err) + } + + // If an exporter is provided with the --json flag, write the results to the terminal in JSON format + if opts.Exporter != nil { + return opts.Exporter.Write(config.IO, verified) + } + + io := config.IO + cs := io.ColorScheme() + fmt.Fprintf(io.Out, "Calculated digest for %s: %s\n", fileName, fileDigest.DigestWithAlg()) + fmt.Fprintf(io.Out, "Resolved tag %s to %s\n", opts.TagName, releaseRefDigest.DigestWithAlg()) + fmt.Fprint(io.Out, "Loaded attestation from GitHub API\n\n") + fmt.Fprintf(io.Out, cs.Green("%s Verification succeeded! %s is present in release %s\n"), cs.SuccessIcon(), fileName, opts.TagName) + + return nil +} + +func getFileName(filePath string) string { + // Get the file name from the file path + _, fileName := filepath.Split(filePath) + return fileName +} diff --git a/pkg/cmd/release/verify-asset/verify_asset_test.go b/pkg/cmd/release/verify-asset/verify_asset_test.go new file mode 100644 index 000000000..732de9fd2 --- /dev/null +++ b/pkg/cmd/release/verify-asset/verify_asset_test.go @@ -0,0 +1,267 @@ +package verifyasset + +import ( + "bytes" + "net/http" + "testing" + + "github.com/cli/cli/v2/pkg/cmd/attestation/api" + "github.com/cli/cli/v2/pkg/cmd/attestation/test" + "github.com/cli/cli/v2/pkg/cmd/attestation/test/data" + "github.com/cli/cli/v2/pkg/cmd/attestation/verification" + "github.com/cli/cli/v2/pkg/cmd/release/shared" + "github.com/cli/cli/v2/pkg/cmdutil" + "github.com/cli/cli/v2/pkg/httpmock" + "github.com/cli/cli/v2/pkg/iostreams" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/cli/cli/v2/internal/ghrepo" +) + +func TestNewCmdVerifyAsset_Args(t *testing.T) { + tests := []struct { + name string + args []string + wantTag string + wantFile string + wantErr string + }{ + { + name: "valid args", + args: []string{"v1.2.3", "../../attestation/test/data/github_release_artifact.zip"}, + wantTag: "v1.2.3", + wantFile: test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip"), + }, + { + name: "valid flag with no tag", + + args: []string{"../../attestation/test/data/github_release_artifact.zip"}, + wantFile: test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip"), + }, + { + name: "no args", + args: []string{}, + wantErr: "you must specify an asset filepath", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + testIO, _, _, _ := iostreams.Test() + + f := &cmdutil.Factory{ + IOStreams: testIO, + HttpClient: func() (*http.Client, error) { + return nil, nil + }, + BaseRepo: func() (ghrepo.Interface, error) { + return ghrepo.FromFullName("owner/repo") + }, + } + + var cfg *VerifyAssetConfig + cmd := NewCmdVerifyAsset(f, func(c *VerifyAssetConfig) error { + cfg = c + return nil + }) + cmd.SetArgs(tt.args) + cmd.SetIn(&bytes.Buffer{}) + cmd.SetOut(&bytes.Buffer{}) + cmd.SetErr(&bytes.Buffer{}) + + _, err := cmd.ExecuteC() + + if tt.wantErr != "" { + require.Error(t, err) + assert.Contains(t, err.Error(), tt.wantErr) + } else { + require.NoError(t, err) + assert.Equal(t, tt.wantTag, cfg.Opts.TagName) + assert.Equal(t, tt.wantFile, cfg.Opts.AssetFilePath) + } + }) + } +} + +func Test_verifyAssetRun_Success(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v6" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + result := &verification.AttestationProcessingResult{ + Attestation: &api.Attestation{ + Bundle: data.GitHubReleaseBundle(t), + BundleURL: "https://example.com", + }, + VerificationResult: nil, + } + + releaseAssetPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip") + + cfg := &VerifyAssetConfig{ + Opts: &VerifyAssetOptions{ + AssetFilePath: releaseAssetPath, + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: shared.NewMockVerifier(result), + } + + err = verifyAssetRun(cfg) + require.NoError(t, err) +} + +func Test_verifyAssetRun_FailedNoAttestations(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v1" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + releaseAssetPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip") + + cfg := &VerifyAssetConfig{ + Opts: &VerifyAssetOptions{ + AssetFilePath: releaseAssetPath, + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewFailTestClient(), + AttVerifier: nil, + } + + err = verifyAssetRun(cfg) + require.ErrorContains(t, err, "no attestations found for tag v1") +} + +func Test_verifyAssetRun_FailedTagNotInAttestation(t *testing.T) { + ios, _, _, _ := iostreams.Test() + + // Tag name does not match the one present in the attestation which + // will be returned by the mock client. Simulates a scenario where + // multiple releases may point to the same commit SHA, but not all + // of them are attested. + tagName := "v1.2.3" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + releaseAssetPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip") + + cfg := &VerifyAssetConfig{ + Opts: &VerifyAssetOptions{ + AssetFilePath: releaseAssetPath, + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: nil, + } + + err = verifyAssetRun(cfg) + require.ErrorContains(t, err, "no attestations found for release v1.2.3") +} + +func Test_verifyAssetRun_FailedInvalidAsset(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v6" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + releaseAssetPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact_invalid.zip") + + cfg := &VerifyAssetConfig{ + Opts: &VerifyAssetOptions{ + AssetFilePath: releaseAssetPath, + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: nil, + } + + err = verifyAssetRun(cfg) + require.ErrorContains(t, err, "attestation for v6 does not contain subject") +} + +func Test_verifyAssetRun_NoSuchAsset(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v6" + + fakeHTTP := &httpmock.Registry{} + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + cfg := &VerifyAssetConfig{ + Opts: &VerifyAssetOptions{ + AssetFilePath: "artifact.zip", + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: nil, + } + + err = verifyAssetRun(cfg) + require.ErrorContains(t, err, "failed to open local artifact") +} + +func Test_getFileName(t *testing.T) { + tests := []struct { + input string + want string + }{ + {"foo/bar/baz.txt", "baz.txt"}, + {"baz.txt", "baz.txt"}, + {"/tmp/foo.tar.gz", "foo.tar.gz"}, + } + for _, tt := range tests { + t.Run(tt.input, func(t *testing.T) { + got := getFileName(tt.input) + assert.Equal(t, tt.want, got) + }) + } +} diff --git a/pkg/cmd/release/verify/verify.go b/pkg/cmd/release/verify/verify.go new file mode 100644 index 000000000..8c04fe682 --- /dev/null +++ b/pkg/cmd/release/verify/verify.go @@ -0,0 +1,233 @@ +package verify + +import ( + "context" + "fmt" + "net/http" + + "github.com/MakeNowJust/heredoc" + v1 "github.com/in-toto/attestation/go/v1" + "google.golang.org/protobuf/encoding/protojson" + + "github.com/cli/cli/v2/internal/ghrepo" + "github.com/cli/cli/v2/internal/tableprinter" + "github.com/cli/cli/v2/pkg/cmd/attestation/api" + "github.com/cli/cli/v2/pkg/cmd/attestation/artifact" + att_io "github.com/cli/cli/v2/pkg/cmd/attestation/io" + "github.com/cli/cli/v2/pkg/cmd/attestation/verification" + "github.com/cli/cli/v2/pkg/cmd/release/shared" + "github.com/cli/cli/v2/pkg/iostreams" + + "github.com/cli/cli/v2/pkg/cmdutil" + "github.com/spf13/cobra" +) + +type VerifyOptions struct { + TagName string + BaseRepo ghrepo.Interface + Exporter cmdutil.Exporter +} + +type VerifyConfig struct { + HttpClient *http.Client + IO *iostreams.IOStreams + Opts *VerifyOptions + AttClient api.Client + AttVerifier shared.Verifier +} + +func NewCmdVerify(f *cmdutil.Factory, runF func(config *VerifyConfig) error) *cobra.Command { + opts := &VerifyOptions{} + + cmd := &cobra.Command{ + Use: "verify []", + Short: "Verify the attestation for a GitHub Release.", + Hidden: true, + Args: cobra.MaximumNArgs(1), + Long: heredoc.Doc(` + Verify that a GitHub Release is accompanied by a valid cryptographically signed attestation. + + ## Understanding Verification + + An attestation is a claim made by GitHub regarding a release and its assets. + + ## What This Command Does + + This command checks that the specified release (or the latest release, if no tag is given) has a valid attestation. + It fetches the attestation for the release and prints out metadata about all assets referenced in the attestation, including their digests. + `), + Example: heredoc.Doc(` + # Verify the latest release + gh release verify + + # Verify a specific release by tag + gh release verify v1.2.3 + + # Verify a specific release by tag and output the attestation in JSON format + gh release verify v1.2.3 --format json + `), + RunE: func(cmd *cobra.Command, args []string) error { + if len(args) > 0 { + opts.TagName = args[0] + } + + baseRepo, err := f.BaseRepo() + if err != nil { + return fmt.Errorf("failed to determine base repository: %w", err) + } + + opts.BaseRepo = baseRepo + + httpClient, err := f.HttpClient() + if err != nil { + return err + } + + io := f.IOStreams + attClient := api.NewLiveClient(httpClient, baseRepo.RepoHost(), att_io.NewHandler(io)) + + attVerifier := &shared.AttestationVerifier{ + AttClient: attClient, + HttpClient: httpClient, + IO: io, + } + + config := &VerifyConfig{ + Opts: opts, + HttpClient: httpClient, + AttClient: attClient, + AttVerifier: attVerifier, + IO: io, + } + + if runF != nil { + return runF(config) + } + return verifyRun(config) + }, + } + cmdutil.AddFormatFlags(cmd, &opts.Exporter) + + return cmd +} + +func verifyRun(config *VerifyConfig) error { + ctx := context.Background() + opts := config.Opts + baseRepo := opts.BaseRepo + tagName := opts.TagName + + if tagName == "" { + release, err := shared.FetchLatestRelease(ctx, config.HttpClient, baseRepo) + if err != nil { + return err + } + tagName = release.TagName + } + + // Retrieve the ref for the release tag + ref, err := shared.FetchRefSHA(ctx, config.HttpClient, baseRepo, tagName) + if err != nil { + return err + } + + releaseRefDigest := artifact.NewDigestedArtifactForRelease(ref, "sha1") + + // Find all the attestations for the release tag SHA + attestations, err := config.AttClient.GetByDigest(api.FetchParams{ + Digest: releaseRefDigest.DigestWithAlg(), + PredicateType: shared.ReleasePredicateType, + Owner: baseRepo.RepoOwner(), + Repo: baseRepo.RepoOwner() + "/" + baseRepo.RepoName(), + // TODO: Allow this value to be set via a flag. + // The limit is set to 100 to ensure we fetch all attestations for a given SHA. + // While multiple attestations can exist for a single SHA, + // only one attestation is associated with each release tag. + Limit: 100, + }) + if err != nil { + return fmt.Errorf("no attestations for tag %s (%s)", tagName, releaseRefDigest.DigestWithAlg()) + } + + // Filter attestations by tag name + filteredAttestations, err := shared.FilterAttestationsByTag(attestations, tagName) + if err != nil { + return fmt.Errorf("error parsing attestations for tag %s: %w", tagName, err) + } + + if len(filteredAttestations) == 0 { + return fmt.Errorf("no attestations found for release %s in %s", tagName, baseRepo.RepoName()) + } + + if len(filteredAttestations) > 1 { + return fmt.Errorf("duplicate attestations found for release %s in %s", tagName, baseRepo.RepoName()) + } + + // Verify attestation + verified, err := config.AttVerifier.VerifyAttestation(releaseRefDigest, filteredAttestations[0]) + if err != nil { + return fmt.Errorf("failed to verify attestations for tag %s: %w", tagName, err) + } + + // If an exporter is provided with the --json flag, write the results to the terminal in JSON format + if opts.Exporter != nil { + return opts.Exporter.Write(config.IO, verified) + } + + io := config.IO + cs := io.ColorScheme() + fmt.Fprintf(io.Out, "Resolved tag %s to %s\n", tagName, releaseRefDigest.DigestWithAlg()) + fmt.Fprint(io.Out, "Loaded attestation from GitHub API\n") + fmt.Fprintf(io.Out, cs.Green("%s Release %s verified!\n"), cs.SuccessIcon(), tagName) + fmt.Fprintln(io.Out) + + if err := printVerifiedSubjects(io, verified); err != nil { + return err + } + + return nil +} + +func printVerifiedSubjects(io *iostreams.IOStreams, att *verification.AttestationProcessingResult) error { + cs := io.ColorScheme() + w := io.Out + + statement := att.Attestation.Bundle.GetDsseEnvelope().Payload + var statementData v1.Statement + + err := protojson.Unmarshal([]byte(statement), &statementData) + if err != nil { + return err + } + + // If there aren't at least two subjects, there are no assets to display + if len(statementData.Subject) < 2 { + return nil + } + + fmt.Fprintln(w, cs.Bold("Assets")) + table := tableprinter.New(io, tableprinter.WithHeader("Name", "Digest")) + + for _, s := range statementData.Subject { + name := s.Name + digest := s.Digest + + if name != "" { + digestStr := "" + for key, value := range digest { + digestStr = key + ":" + value + } + + table.AddField(name) + table.AddField(digestStr) + table.EndRow() + } + } + err = table.Render() + if err != nil { + return err + } + fmt.Fprintln(w) + + return nil +} diff --git a/pkg/cmd/release/verify/verify_test.go b/pkg/cmd/release/verify/verify_test.go new file mode 100644 index 000000000..40009fc7d --- /dev/null +++ b/pkg/cmd/release/verify/verify_test.go @@ -0,0 +1,165 @@ +package verify + +import ( + "bytes" + "net/http" + "testing" + + "github.com/cli/cli/v2/internal/ghrepo" + "github.com/cli/cli/v2/pkg/cmd/attestation/api" + "github.com/cli/cli/v2/pkg/cmd/attestation/test/data" + "github.com/cli/cli/v2/pkg/cmd/attestation/verification" + "github.com/cli/cli/v2/pkg/cmd/release/shared" + "github.com/cli/cli/v2/pkg/cmdutil" + "github.com/cli/cli/v2/pkg/httpmock" + "github.com/cli/cli/v2/pkg/iostreams" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestNewCmdVerify_Args(t *testing.T) { + tests := []struct { + name string + args []string + wantTag string + wantErr string + }{ + { + name: "valid tag arg", + args: []string{"v1.2.3"}, + wantTag: "v1.2.3", + }, + { + name: "no tag arg", + args: []string{}, + wantTag: "", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + testIO, _, _, _ := iostreams.Test() + f := &cmdutil.Factory{ + IOStreams: testIO, + HttpClient: func() (*http.Client, error) { + return nil, nil + }, + BaseRepo: func() (ghrepo.Interface, error) { + return ghrepo.FromFullName("owner/repo") + }, + } + + var cfg *VerifyConfig + cmd := NewCmdVerify(f, func(c *VerifyConfig) error { + cfg = c + return nil + }) + cmd.SetArgs(tt.args) + cmd.SetIn(&bytes.Buffer{}) + cmd.SetOut(&bytes.Buffer{}) + cmd.SetErr(&bytes.Buffer{}) + + _, err := cmd.ExecuteC() + + require.NoError(t, err) + assert.Equal(t, tt.wantTag, cfg.Opts.TagName) + }) + } +} + +func Test_verifyRun_Success(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v6" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + result := &verification.AttestationProcessingResult{ + Attestation: &api.Attestation{ + Bundle: data.GitHubReleaseBundle(t), + BundleURL: "https://example.com", + }, + VerificationResult: nil, + } + + cfg := &VerifyConfig{ + Opts: &VerifyOptions{ + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: shared.NewMockVerifier(result), + } + + err = verifyRun(cfg) + require.NoError(t, err) +} + +func Test_verifyRun_FailedNoAttestations(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v1" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + cfg := &VerifyConfig{ + Opts: &VerifyOptions{ + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewFailTestClient(), + AttVerifier: nil, + } + + err = verifyRun(cfg) + require.ErrorContains(t, err, "no attestations for tag v1") +} + +func Test_verifyRun_FailedTagNotInAttestation(t *testing.T) { + ios, _, _, _ := iostreams.Test() + + // Tag name does not match the one present in the attestation which + // will be returned by the mock client. Simulates a scenario where + // multiple releases may point to the same commit SHA, but not all + // of them are attested. + tagName := "v1.2.3" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + cfg := &VerifyConfig{ + Opts: &VerifyOptions{ + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: nil, + } + + err = verifyRun(cfg) + require.ErrorContains(t, err, "no attestations found for release v1.2.3") +}