feat: allow manual sigstore trust root

tinfoilanalytics · Jan 27, 2025 · 41cde7c · 41cde7c
1 parent fadcd1f
commit 41cde7c
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 11 deletions.
diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -40,7 +40,7 @@ func (s *SecureClient) Verify() (*EnclaveState, error) {
 		return nil, fmt.Errorf("failed to fetch attestation bundle: %v", err)
 	}
 
-	codeMeasurements, err := sigstore.VerifyAttestation(sigstoreBundle, eifHash, s.repo)
+	codeMeasurements, err := sigstore.VerifyAttestation(sigstoreBundle, eifHash, s.repo, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to verify attested measurements: %v", err)
 	}

diff --git a/pkg/sigstore/sigstore.go b/pkg/sigstore/sigstore.go
@@ -19,8 +19,8 @@ const (
 	oidcIssuer = "https://token.actions.githubusercontent.com"
 )
 
-// fetchTrustRoot fetches the trust root from the Sigstore TUF repo
-func fetchTrustRoot() (*root.TrustedRoot, error) {
+// FetchTrustRoot fetches the trust root from the Sigstore TUF repo
+func FetchTrustRoot() ([]byte, error) {
 	tufOpts := tuf.
 		DefaultOptions().
 		WithDisableLocalCache().
@@ -30,23 +30,27 @@ func fetchTrustRoot() (*root.TrustedRoot, error) {
 		return nil, err
 	}
 
-	trustRootJSON, err := client.GetTarget("trusted_root.json")
-	if err != nil {
-		return nil, fmt.Errorf("failed to get trusted_root.json: %w", err)
-	}
-
-	return root.NewTrustedRootFromJSON(trustRootJSON)
+	return client.GetTarget("trusted_root.json")
 }
 
 // VerifyAttestation verifies the attested measurements of an enclave image
 // against a trusted root (Sigstore) and returns the measurement payload contained in the DSSE.
 func VerifyAttestation(
 	bundleJSON []byte,
 	hexDigest, repo string,
+	trustRootJSON []byte,
 ) (*attestation.Measurement, error) {
-	trustRoot, err := fetchTrustRoot()
+	if trustRootJSON == nil {
+		var err error
+		trustRootJSON, err = FetchTrustRoot()
+		if err != nil {
+			return nil, fmt.Errorf("fetching trust root: %w", err)
+		}
+	}
+
+	trustRoot, err := root.NewTrustedRootFromJSON(trustRootJSON)
 	if err != nil {
-		return nil, fmt.Errorf("fetching trust root: %w", err)
+		return nil, fmt.Errorf("parsing trust root: %w", err)
 	}
 
 	var b bundle.Bundle