feat: support SEV

tinfoilanalytics · Jan 31, 2025 · ccfebeb · ccfebeb
1 parent 813dec9
commit ccfebeb
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 24 deletions.
diff --git a/gen/main.go b/gen/main.go
diff --git a/github/github.go b/github/github.go
@@ -3,11 +3,13 @@ package github
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"regexp"
+	"strings"
 )
 
-// FetchLatestRelease gets the latest release and EIF hash of a repo
+// FetchLatestRelease gets the latest release and attestation digest of a repo
 func FetchLatestRelease(repo string) (string, string, error) {
 	url := "https://api.github.com/repos/" + repo + "/releases/latest"
 	releaseResponse, err := http.Get(url)
@@ -26,10 +28,27 @@ func FetchLatestRelease(repo string) (string, string, error) {
 		return "", "", err
 	}
 
+	// Backwards compatibility for old EIF releases
 	eifRegex := regexp.MustCompile(`EIF hash: ([a-fA-F0-9]{64})`)
-	eifHash := eifRegex.FindStringSubmatch(responseJSON.Body)[1]
+	matches := eifRegex.FindStringSubmatch(responseJSON.Body)
+	if len(matches) > 1 {
+		return responseJSON.TagName, matches[1], nil
+	}
+
+	url = fmt.Sprintf(`https://github.com/tinfoilanalytics/provably-private-deepseek-r1/releases/download/%s/tinfoil.hash`, responseJSON.TagName)
+	digestResp, err := http.Get(url)
+	if err != nil {
+		return "", "", err
+	}
+	if digestResp.StatusCode != 200 {
+		return "", "", fmt.Errorf("failed to fetch attestation digest: %s", digestResp.Status)
+	}
+	digest, err := io.ReadAll(digestResp.Body)
+	if err != nil {
+		return "", "", err
+	}
 
-	return responseJSON.TagName, eifHash, nil
+	return responseJSON.TagName, strings.TrimSpace(string(digest)), nil
 }
 
 // FetchAttestationBundle fetches the sigstore bundle from a repo for a given repo and EIF hash

diff --git a/sigstore/sigstore.go b/sigstore/sigstore.go
@@ -64,7 +64,7 @@ func VerifyAttestation(
 		"",
 		"",
 		// TODO: Can we pin this to latest without fetching the latest release?
-		"^https://github.com/"+repo+"/.github/workflows/release.yml@refs/tags/*",
+		"^https://github.com/"+repo+"/.github/workflows/.*@refs/tags/*",
 	)
 	if err != nil {
 		return nil, fmt.Errorf("creating certificate identity: %w", err)
@@ -96,6 +96,11 @@ func VerifyAttestation(
 				predicateFields["PCR2"].GetStringValue(),
 			},
 		}, nil
+	case attestation.SevGuestV1:
+		return &attestation.Measurement{
+			Type:      measurementType,
+			Registers: []string{predicateFields["measurement"].GetStringValue()},
+		}, nil
 	default:
 		return nil, fmt.Errorf("unsupported predicate type: %s", result.Statement.PredicateType)
 	}