Skip to content

Added evidence verify command for local verification #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mnsboev merged 1 commit into from
Jul 10, 2025
Merged

Added evidence verify command for local verification #89

mnsboev merged 1 commit into from
Jul 10, 2025

Conversation

@mnsboev
Copy link
Collaborator

@mnsboev mnsboev commented Jun 18, 2025
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.

Evidence Verification Command for Artifacts, Packages, Release Bundles, and Builds

This command verifies evidences related to artifacts, packages, release bundles, and builds. It checks the SHA-256 hash of the subject against the SHA-256 hashes in each piece of evidence pinned to that subject, and verifies the signatures in each piece of evidence first with the provided keys and then with public keys in Artifactory. This functionality incorporates changes from this PR.

The command has the same arguments as the jf evd create command for specifying the subject of verification:

  • --build-name [Optional] Build name.
  • --build-number [Optional] Build number.
  • --package-name [Optional] Package name.
  • --package-repo-name [Optional] Package repository name.
  • --package-version [Optional] Package version.
  • --project [Optional] Project key associated with the created evidence.
  • --release-bundle [Optional] Release bundle name.
  • --release-bundle-version [Optional] Release bundle version.
  • --subject-repo-path [Optional] Full path to the subject's location.

Additionally, three new arguments have been added. The first specifies the output type, and the second accepts public keys:

  • --format [Optional] Output format. Supported formats: 'json'.
  • --keys [Optional] Paths to public keys for signature verification.
  • --use-artifactory-keys [Default:false] When this option is set to true, the verify command fetches public keys from RT.

Examples:

jf evd verify --subject-repo-path catalina-dev-docker-local/file.txt --format json --keys "../../../bash/public.pem;../../../bash/rsa_public.pem"
jf evd verify --release-bundle osaidtest --release-bundle-version 1
jf evd verify --build-name sonar-evidence-example --build-number 77 --use-artifactory-keys

@mnsboev mnsboev mentioned this pull request Jun 19, 2025
Closed
4 tasks
selalererjfrog
selalererjfrog reviewed Jun 19, 2025
View reviewed changes
selalererjfrog
selalererjfrog reviewed Jun 19, 2025
View reviewed changes
selalererjfrog
selalererjfrog reviewed Jun 19, 2025
View reviewed changes
selalererjfrog
selalererjfrog reviewed Jun 19, 2025
View reviewed changes
selalererjfrog
selalererjfrog reviewed Jun 19, 2025
View reviewed changes
selalererjfrog
selalererjfrog reviewed Jun 19, 2025
View reviewed changes
@mnsboev mnsboev added the new feature Automatically generated release notes label Jun 24, 2025
@mnsboev mnsboev force-pushed the evidence-verification-command branch 3 times, most recently from 87834a6 to 22444cf Compare June 24, 2025 14:47
dortam888
dortam888 reviewed Jun 25, 2025
View reviewed changes
@mnsboev mnsboev force-pushed the evidence-verification-command branch 2 times, most recently from 08f921c to 24e7c26 Compare June 25, 2025 12:47
alenon
alenon requested changes Jun 26, 2025
View reviewed changes
@mnsboev mnsboev force-pushed the evidence-verification-command branch from 73e75b7 to a9adb11 Compare July 7, 2025 14:36
osaidwtd
osaidwtd reviewed Jul 7, 2025
View reviewed changes
@mnsboev mnsboev force-pushed the evidence-verification-command branch from 6b2e407 to fd26adf Compare July 10, 2025 12:04
@alenon alenon force-pushed the evidence-verification-command branch from fd26adf to a9ee2a2 Compare July 10, 2025 12:17
@mnsboev mnsboev force-pushed the evidence-verification-command branch from 527175b to 9ac174b Compare July 10, 2025 12:50
@mnsboev mnsboev force-pushed the evidence-verification-command branch from 9ac174b to 85aa5a7 Compare July 10, 2025 12:53
alenon
alenon requested changes Jul 10, 2025
View reviewed changes
Copy link
Collaborator

@alenon alenon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dsse_test shold be removed

@mnsboev mnsboev force-pushed the evidence-verification-command branch from 85aa5a7 to 584c3bd Compare July 10, 2025 13:35
@mnsboev mnsboev force-pushed the evidence-verification-command branch from 584c3bd to e2c0378 Compare July 10, 2025 13:56
@mnsboev mnsboev force-pushed the evidence-verification-command branch from e2c0378 to b144dc9 Compare July 10, 2025 14:06
@mnsboev mnsboev merged commit 084c3ca into jfrog:main Jul 10, 2025
10 of 11 checks passed
naveenku-jfrog pushed a commit to naveenku-jfrog/jfrog-cli-artifactory that referenced this pull request Aug 13, 2025
@mnsboev @naveenku-jfrog
Added evidence verify command for local verification (jfrog#89)
94f19ba
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@osaidwtd osaidwtd osaidwtd left review comments

@dortam888 dortam888 dortam888 left review comments

@alenon alenon alenon approved these changes

+1 more reviewer

@selalererjfrog selalererjfrog selalererjfrog approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

new feature Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mnsboev @alenon @osaidwtd @dortam888 @selalererjfrog