Scripts to create and test fetching attestations

vsa/README.md

@@ -0,0 +1,14 @@
+# create multiple images each with a vsa attached
+```bash
+create-multiple-VSAs.sh
+```
+
+# get attestation from an oci registry
+```bash
+oci_get_entry.sh
+```
+
+# get an entry from rekor by digest
+```bash
+rekor_get_entry.sh
+```

vsa/create-multiple-VSAs.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO="quay.io/jstuart/hacbs-docker-build"
+KEY="cosign.key"
+mkdir -p blobs predicates
+
+for i in {1..2}; do
+  blob="blobs/file-$i.txt"
+  echo "This is blob $i" > "$blob"
+
+  digest=$(oras push "$REPO:blob-$i" "$blob:application/vnd.test.file" 2>&1 | grep "Digest:" | awk '{print $2}')
+  echo "Got digest: $digest"
+
+  pred="predicates/predicate-$i.json"
+  cat > "$pred" <<EOF
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "subject": [{
+    "name": "$REPO:blob-$i",
+    "digest": { "sha256": "${digest#sha256:}" }
+  }],
+  "predicateType": "https://slsa.dev/verification_summary/v0.1",
+  "predicate": {
+    "verifier": { "id": "conforma.dev" },
+    "policy": {
+      "uri": "github.com/enterprise-contract/policy",
+      "digest": { "sha256": "d$(printf %03d "$i")deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead" }
+    },
+    "verification_result": "PASSED",
+    "policy_level": "redhat"
+  }
+}
+EOF
+REKOR_URL="https://rekor-server-trusted-artifact-signer.apps.rosa.rekor-stage.ic5w.p3.openshiftapps.com"
+#REKOR_URL="https://rekor.sigstore.dev"
+  cosign attest \
+    --key "$KEY" \
+    --predicate "$pred" \
+    --type "https://slsa.dev/verification_summary/v0.1" \
+    --rekor-url $REKOR_URL \
+    --rekor-entry-type intoto \
+    --new-bundle-format \
+    "$REPO:blob-$i"
+done

vsa/create-vsa.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO="quay.io/jstuart/hacbs-docker-build"
+KEY="cosign.key"
+mkdir -p blobs predicates
+
+if [[ ! -f cosign.key || ! -f cosign.pub ]]; then
+  echo "Generating cosign key pair..."
+  cosign generate-key-pair
+fi
+
+for i in {1..2}; do
+  blob="blobs/file-$i.txt"
+  echo "This is blob $i" > "$blob"
+
+  digest=$(oras push "$REPO:blob-$i" "$blob:application/vnd.test.file" 2>&1 | grep "Digest:" | awk '{print $2}')
+  echo "Got digest: $digest"
+
+  pred="predicates/predicate-$i.json"
+  cat > "$pred" <<EOF
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "subject": [{
+    "name": "$REPO:blob-$i",
+    "digest": { "sha256": "${digest#sha256:}" }
+  }],
+  "predicateType": "https://slsa.dev/verification_summary/v0.1",
+  "predicate": {
+    "verifier": { "id": "conforma.dev" },
+    "policy": {
+      "uri": "github.com/enterprise-contract/policy",
+      "digest": { "sha256": "d$(printf %03d "$i")deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead" }
+    },
+    "verification_result": "PASSED",
+    "policy_level": "redhat"
+  }
+}
+EOF
+REKOR_URL="https://rekor-server-trusted-artifact-signer.apps.rosa.rekor-stage.ic5w.p3.openshiftapps.com"
+#REKOR_URL="https://rekor.sigstore.dev"
+  cosign attest \
+    --key "$KEY" \
+    --predicate "$pred" \
+    --type "https://slsa.dev/verification_summary/v0.1" \
+    --rekor-url $REKOR_URL \
+    --rekor-entry-type intoto \
+    --new-bundle-format \
+    "$REPO:blob-$i"
+done

vsa/oci_get_entry.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+IMAGE=quay.io/jstuart/hacbs-docker-build:blob-1
+ATTDIGEST=$(oras discover \
+  --artifact-type application/vnd.dev.sigstore.bundle.v0.3+json \
+  --output json \
+  $IMAGE \
+| jq -r '.manifests[0].digest')
+
+LAYERDIGEST=$(curl -sL \
+  -H "Accept: application/vnd.oci.image.manifest.v1+json" \
+  "https://quay.io/v2/jstuart/hacbs-docker-build/manifests/$ATTDIGEST" \
+| jq -r '.layers[] 
+    | select(.mediaType=="application/vnd.dev.sigstore.bundle.v0.3+json")
+    | .digest')
+
+curl -sL \
+  -H "Accept: application/octet-stream" \
+  "https://quay.io/v2/jstuart/hacbs-docker-build/blobs/$LAYERDIGEST" | jq .dsseEnvelope.payload |tr -d '"' |base64 -d |jq

vsa/rekor_get_entry.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+REKOR_URL=https://rekor-server-trusted-artifact-signer.apps.rosa.rekor-stage.ic5w.p3.openshiftapps.com
+IMAGE=quay.io/jstuart/hacbs-docker-build:blob-2
+
+DIGEST=$(crane digest "$IMAGE")
+UUID=$(rekor-cli search artifact --rekor_server "$REKOR_URL" --sha "$DIGEST")
+
+rekor-cli get --rekor_server "$REKOR_URL" --uuid "$UUID"