-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathverify.sh
executable file
·42 lines (32 loc) · 1.52 KB
/
verify.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/bin/bash
REPO=tinfoilanalytics/nitro-enclave-pipeline-test
if [ ! -f verifier/target/release/verifier ]; then
echo "Building verifier..."
cd verifier && cargo build --release
cd ..
fi
if [ -n "$1" ]; then
VERSION=$1
else
echo "No version provided, fetching latest..."
VERSION=$(curl -sL "https://api.github.com/repos/$REPO/tags" | jq -r '.[0].name')
fi
ENCLAVE_FILE=tinfoil-enclave-$VERSION.eif
echo "Fetching enclave version $VERSION..."
curl -sLO "https://github.com/$REPO/releases/download/$VERSION/$ENCLAVE_FILE"
SUBJECT_DIGEST="sha256:$(sha256sum "$ENCLAVE_FILE" | cut -d ' ' -f 1)"
echo "$ENCLAVE_FILE $SUBJECT_DIGEST"
echo "Fetching attestation document..."
ATT_DOC=tinfoil-enclave-$VERSION-attestation.jsonl
curl -sL "https://api.github.com/repos/tinfoilanalytics/nitro-enclave-pipeline-test/attestations/$SUBJECT_DIGEST" | jq -r '.attestations[0].bundle' > "$ATT_DOC"
# The attestation document contains a reference to the transparency log entry in SigStore
echo "Transparency log: https://search.sigstore.dev?logIndex=$(jq -r ".verificationMaterial.tlogEntries[0].logIndex" "$ATT_DOC")"
echo "Verifying attestation..."
cosign verify-blob-attestation \
--new-bundle-format \
--bundle "$ATT_DOC" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
--certificate-identity-regexp="^https://github.com/$REPO/.github/workflows/release.yml.?" \
"$ENCLAVE_FILE"
echo "Comparing enclave measurements with signature..."
verifier/target/release/verifier --eif "$ENCLAVE_FILE" --bundle "$ATT_DOC"