Allow signed artifacts used via input.http to also be verified similar to bundles.
Proposed helpers:
artifact_attestation(input.http, filename) - Verifies artifact against signed sigstore bundle file. Returns a struct with signature info fields.
github_attestation(input.http, repo_name) - Similar but instead of needing to pass file directly it is pulled by digest with Github API. The signed attestation needs to be uploaded to Github repo.
The sigstore bundle needs to have a valid Fulcio signature, but no specific signer identity is needed for these helpers. Identity can be checked based on the helper return value.
I think we can also extend the current docker_github_builder, docker_github_builder_tag to directly accept input.http and perform github_attestation with extra conditions internally. Maybe new docker_github_builder_bundle(input.http, filename) to allow file to be passed in directly as well.
All the places that accept filenames could also accept URLs.
Allow signed artifacts used via
input.httpto also be verified similar to bundles.Proposed helpers:
artifact_attestation(input.http, filename)- Verifies artifact against signed sigstore bundle file. Returns a struct with signature info fields.github_attestation(input.http, repo_name)- Similar but instead of needing to pass file directly it is pulled by digest with Github API. The signed attestation needs to be uploaded to Github repo.The sigstore bundle needs to have a valid Fulcio signature, but no specific signer identity is needed for these helpers. Identity can be checked based on the helper return value.
I think we can also extend the current
docker_github_builder,docker_github_builder_tagto directly acceptinput.httpand performgithub_attestationwith extra conditions internally. Maybe newdocker_github_builder_bundle(input.http, filename)to allow file to be passed in directly as well.All the places that accept filenames could also accept URLs.