tweak output of build policy info

pkg/cmd/attestation/verification/policy.go

@@ -3,6 +3,7 @@ package verification
 import (
 	"encoding/hex"
 	"fmt"
+	"strings"
 
 	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact"
 
@@ -51,34 +52,43 @@ func (c EnforcementCriteria) Valid() error {
 }
 
 func (c EnforcementCriteria) BuildPolicyInformation() string {
-	policyInfo :=
-		fmt.Sprintf(`
-The following policy criteria will be enforced against all attestations:
-- Predicate type must match %s`, c.PredicateType)
+	policyAttr := make([][]string, 0, 6)
 
+	policyAttr = appendStr(policyAttr, "- OIDC Issuer must match", c.Certificate.Issuer)
 	if c.Certificate.RunnerEnvironment == GitHubRunner {
-		runnerInfo := "\n- Attestation must have been generated by an Action workflow executed in a GitHub-hosted runner"
-		policyInfo += runnerInfo
+		policyAttr = appendStr(policyAttr, "- Action workflow Runner Environment must match ", GitHubRunner)
 	}
 
-	ownerUriInfo := fmt.Sprintf("\n- Source Repository Owner URI must match %s", c.Certificate.SourceRepositoryOwnerURI)
-	policyInfo += ownerUriInfo
+	policyAttr = appendStr(policyAttr, "- Source Repository Owner URI must match", c.Certificate.SourceRepositoryOwnerURI)
 
 	if c.Certificate.SourceRepositoryURI != "" {
-		repoUriInfo := fmt.Sprintf("\n- Source Repository URI must match %s", c.Certificate.SourceRepositoryURI)
-		policyInfo += repoUriInfo
+		policyAttr = appendStr(policyAttr, "- Source Repository URI must match", c.Certificate.SourceRepositoryURI)
 	}
 
-	issuerInfo := fmt.Sprintf("\n- Signing certificate's OIDC issuer must match %s", c.Certificate.Issuer)
-	policyInfo += issuerInfo
+	policyAttr = appendStr(policyAttr, "- Predicate type must match", c.PredicateType)
 
 	if c.SAN != "" {
-		sanInfo := fmt.Sprintf("\n- Signing certificate Subject Alternative Name must match %s", c.SAN)
-		policyInfo += sanInfo
+		policyAttr = appendStr(policyAttr, "- Subject Alternative Name must match", c.SAN)
 	} else if c.SANRegex != "" {
-		sanRegexInfo := fmt.Sprintf("\n- Signing certificate Subject Alternative Name must match the regex %s", c.SANRegex)
-		policyInfo += sanRegexInfo
+		policyAttr = appendStr(policyAttr, "- Subject Alternative Name must match regex", c.SANRegex)
+	}
+
+	maxColLen := 0
+	for _, attr := range policyAttr {
+		if len(attr[0]) > maxColLen {
+			maxColLen = len(attr[0])
+		}
+	}
+
+	policyInfo := ""
+	for _, attr := range policyAttr {
+		dots := strings.Repeat(".", maxColLen-len(attr[0]))
+		policyInfo += fmt.Sprintf("%s:%s %s\n", attr[0], dots, attr[1])
 	}
 
 	return policyInfo
 }
+
+func appendStr(arr [][]string, a, b string) [][]string {
+	return append(arr, []string{a, b})
+}

pkg/cmd/attestation/verify/verify.go

@@ -243,6 +243,7 @@ func runVerify(opts *Options) error {
 	attestations = filteredAttestations
 
 	// print information about the policy that will be enforced against attestations
+	opts.Logger.Println("\nThe following policy criteria will be enforced:")
 	opts.Logger.Println(ec.BuildPolicyInformation())
 
 	verified, errMsg, err := verifyAttestations(*artifact, attestations, opts.SigstoreVerifier, ec)
@@ -251,7 +252,7 @@ func runVerify(opts *Options) error {
 		return err
 	}
 
-	opts.Logger.Println(opts.Logger.ColorScheme.Green("\n✓ Verification succeeded!\n"))
+	opts.Logger.Println(opts.Logger.ColorScheme.Green("✓ Verification succeeded!\n"))
 
 	// If an exporter is provided with the --json flag, write the results to the terminal in JSON format
 	if opts.exporter != nil {