Skip to content

Add sigstore bundle verification #118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mnsboev merged 8 commits into from
Aug 5, 2025
Merged

Add sigstore bundle verification #118

mnsboev merged 8 commits into from
Aug 5, 2025

Conversation

@mnsboev
Copy link
Collaborator

@mnsboev mnsboev commented Aug 1, 2025
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • Appropriate label is added to auto generate release notes.
  • I used gofmt for formatting the code before submitting the pull request.
  • PR description is clear and concise, and it includes the proposed solution/fix.

Description:
Sigstore Bundle verification support is added.

Example of call:
jf evd verify --subject-repo-path cli-sigstore-test/commons-1.0.0.txt

Example of output:
Subject sha256: 434728a410a78f56fc1b5899c3593436e61ab0c731e9072d95e96db290205e53
Subject: cli-sigstore-test/commons-1.0.0.txt
Loaded 18 evidence

Verification passed for 18 out of 18 evidence

  • Evidence 1:
    • Media type: sigstore.bundle
    • Predicate type: in-toto
    • Evidence subject sha256: 434728a410a78f56fc1b5899c3593436e61ab0c731e9072d95e96db290205e53
    • Key source: Sigstore Bundle Key
    • Sha256 verification status: success
    • Signatures verification status: success
    • Timestamp verification status: success
      ...

@mnsboev mnsboev added the new feature Automatically generated release notes label Aug 1, 2025
@mnsboev mnsboev force-pushed the sigstore-bundle-verification branch from ff2829c to 234da5a Compare August 1, 2025 12:58
dortam888
dortam888 requested changes Aug 3, 2025
View reviewed changes
alenon
alenon reviewed Aug 4, 2025
View reviewed changes
Copy link
Collaborator

@alenon alenon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

support cosign generated Sigstore Bundles (Statement v0.1)

@mnsboev mnsboev force-pushed the sigstore-bundle-verification branch from adf3ccb to 0beac36 Compare August 5, 2025 08:46
@mnsboev mnsboev merged commit d5a26e5 into jfrog:main Aug 5, 2025
10 of 11 checks passed
naveenku-jfrog pushed a commit to naveenku-jfrog/jfrog-cli-artifactory that referenced this pull request Aug 13, 2025
@mnsboev @naveenku-jfrog
Add sigstore bundle verification (jfrog#118)
784cfc3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alenon alenon alenon left review comments

@dortam888 dortam888 dortam888 approved these changes

+1 more reviewer

@selalererjfrog selalererjfrog selalererjfrog approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

new feature Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mnsboev @alenon @dortam888 @selalererjfrog