add more verification integration tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get the root directory of the repository
+rootDir="$(git rev-parse --show-toplevel)"
+
+ghBuildPath="$rootDir/bin/gh"
+
+artifactPath="$rootDir/pkg/cmd/attestation/test/data/sigstore-js-2.1.0.tgz"
+bundlePath="$rootDir/pkg/cmd/attestation/test/data/sigstore-js-2.1.0_with_2_bundles.jsonl"
+
+# Download a custom trusted root for verification
+if ! $ghBuildPath attestation trusted-root > trusted_root.jsonl; then
+    # cleanup test data
+    echo "Failed to download trusted root"
+    exit 1
+fi
+
+if ! $ghBuildPath attestation verify "$artifactPath" -b "$bundlePath" --digest-alg=sha512 --owner=sigstore --custom-trusted-root trusted_root.jsonl; then
+    echo "Failed to verify package with a Sigstore v0.2.0 bundle"
+    exit 1
+fi

test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get the root directory of the repository
+rootDir="$(git rev-parse --show-toplevel)"
+
+ghBuildPath="$rootDir/bin/gh"
+
+ghCLIArtifact="$rootDir/pkg/cmd/attestation/test/data/gh_2.60.1_windows_arm64.zip"
+
+# Verify the gh CLI artifact
+echo "Testing with package $ghCLIArtifact"
+if ! $ghBuildPath attestation verify "$ghCLIArtifact" --digest-alg=sha256 --owner=cli; then
+    echo "Failed to verify"
+    exit 1
+fi