-
Notifications
You must be signed in to change notification settings - Fork 4
/
verify_provenance.sh
executable file
·31 lines (23 loc) · 1.15 KB
/
verify_provenance.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/bin/sh
# This script extracts and verifies provenance from the most recent TaskRun.
# Prerequisites:
# - install `cosign` and `jq`.
# - set up Application Default Credentials by running `gcloud auth application-default login`.
set -e
dir=$(dirname $0)
. "${dir}"/env.sh
IMAGE_URL=$(${tkn} tr describe --last -o jsonpath="{.status.results[1].value}")
IMAGE_DIGEST=$(${tkn} tr describe --last -o jsonpath="{.status.results[0].value}")
alias gcurl='curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud auth print-access-token)"'
query_url="https://containeranalysis.googleapis.com/v1/projects/$PROJECT/occurrences?filter=resourceUrl=\"${IMAGE_URL}@${IMAGE_DIGEST}\"%20AND%20kind=\"BUILD\""
TMP=$(mktemp -d)
full=${TMP}/full
gcurl "${query_url}" > ${full}
# This is the signing key.
KEY_REF=$(jq -r '.occurrences[0].envelope.signatures[0].keyid' "${full}")
# Extract the signature.
signature=${TMP}/signature
jq -r '.occurrences[0].envelope.signatures[0].sig' "${full}" | tr '\-_' '+/' | base64 -d > ${signature}
# Verify the signature.
cosign verify-blob --key "${KEY_REF}" --signature "${signature}" "${signature}"
rm -rf "${TMP}"