buildVerificationPolicy constructs a verification policy for GitHub releases
(a artifact.DigestedArtifact, trustDomain string)
| 100 | |
| 101 | // buildVerificationPolicy constructs a verification policy for GitHub releases |
| 102 | func buildVerificationPolicy(a artifact.DigestedArtifact, trustDomain string) verify.PolicyBuilder { |
| 103 | // If no trust domain is specified, default to "dotcom" |
| 104 | if trustDomain == "" { |
| 105 | trustDomain = "dotcom" |
| 106 | } |
| 107 | // SAN must match the GitHub releases domain. No issuer extension (match anything) |
| 108 | sanMatcher, _ := verify.NewSANMatcher("", fmt.Sprintf("^https://%s\\.releases\\.github\\.com$", trustDomain)) |
| 109 | issuerMatcher, _ := verify.NewIssuerMatcher("", ".*") |
| 110 | certId, _ := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, certificate.Extensions{}) |
| 111 | |
| 112 | artifactDigestPolicyOption, _ := verification.BuildDigestPolicyOption(a) |
| 113 | return verify.NewPolicy(artifactDigestPolicyOption, verify.WithCertificateIdentity(certId)) |
| 114 | } |
| 115 | |
| 116 | type MockVerifier struct { |
| 117 | mockResult *verification.AttestationProcessingResult |
no test coverage detected