| 38 | } |
| 39 | |
| 40 | func NewCmdVerify(f *cmdutil.Factory, runF func(config *VerifyConfig) error) *cobra.Command { |
| 41 | opts := &VerifyOptions{} |
| 42 | |
| 43 | cmd := &cobra.Command{ |
| 44 | Use: "verify [<tag>]", |
| 45 | Short: "Verify the attestation for a release", |
| 46 | Args: cobra.MaximumNArgs(1), |
| 47 | Long: heredoc.Doc(` |
| 48 | Verify that a GitHub Release is accompanied by a valid cryptographically signed attestation. |
| 49 | |
| 50 | An attestation is a claim made by GitHub regarding a release and its assets. |
| 51 | |
| 52 | This command checks that the specified release (or the latest release, if no tag is given) has a valid attestation. |
| 53 | It fetches the attestation for the release and prints metadata about all assets referenced in the attestation, including their digests. |
| 54 | `), |
| 55 | Example: heredoc.Doc(` |
| 56 | # Verify the latest release |
| 57 | gh release verify |
| 58 | |
| 59 | # Verify a specific release by tag |
| 60 | gh release verify v1.2.3 |
| 61 | |
| 62 | # Verify a specific release by tag and output the attestation in JSON format |
| 63 | gh release verify v1.2.3 --format json |
| 64 | `), |
| 65 | RunE: func(cmd *cobra.Command, args []string) error { |
| 66 | if len(args) > 0 { |
| 67 | opts.TagName = args[0] |
| 68 | } |
| 69 | |
| 70 | baseRepo, err := f.BaseRepo() |
| 71 | if err != nil { |
| 72 | return fmt.Errorf("failed to determine base repository: %w", err) |
| 73 | } |
| 74 | |
| 75 | opts.BaseRepo = baseRepo |
| 76 | |
| 77 | httpClient, err := f.HttpClient() |
| 78 | if err != nil { |
| 79 | return err |
| 80 | } |
| 81 | |
| 82 | externalClient, err := f.ExternalHttpClient() |
| 83 | if err != nil { |
| 84 | return err |
| 85 | } |
| 86 | |
| 87 | io := f.IOStreams |
| 88 | attClient := api.NewLiveClient(httpClient, externalClient, baseRepo.RepoHost(), att_io.NewHandler(io)) |
| 89 | |
| 90 | attVerifier := &shared.AttestationVerifier{ |
| 91 | AttClient: attClient, |
| 92 | ExternalHttpClient: externalClient, |
| 93 | IO: io, |
| 94 | TrustedRoot: opts.TrustedRoot, |
| 95 | } |
| 96 | |
| 97 | config := &VerifyConfig{ |