policy/verify.sh · CI/CD Supply Chain Security

28 lines · bash

set -euo pipefail
 
IMAGE="${1:-}"
OWNER="${OWNER:-zionboggan}"
 
if [[ -z "${IMAGE}" ]]; then
    echo "usage: $0 <image-ref-with-digest>" >&2
    echo "example: $0 ghcr.io/${OWNER}/cicd-supply-chain-security@sha256:..." >&2
    exit 1
fi
 
IDENTITY_REGEXP="^https://github.com/${OWNER}/"
ISSUER="https://token.actions.githubusercontent.com"
 
echo "verifying signature for ${IMAGE}"
cosign verify \
    --certificate-identity-regexp "${IDENTITY_REGEXP}" \
    --certificate-oidc-issuer "${ISSUER}" \
    "${IMAGE}"
 
echo "verifying SBOM attestation"
cosign verify-attestation \
    --type spdxjson \
    --certificate-identity-regexp "${IDENTITY_REGEXP}" \
    --certificate-oidc-issuer "${ISSUER}" \
    "${IMAGE}"
 
echo "ok: ${IMAGE} is signed and carries a verified SBOM"

1	set -euo pipefail
2
3	IMAGE="${1:-}"
4	OWNER="${OWNER:-zionboggan}"
5
6	if [[ -z "${IMAGE}" ]]; then
7	echo "usage: $0 <image-ref-with-digest>" >&2
8	echo "example: $0 ghcr.io/${OWNER}/cicd-supply-chain-security@sha256:..." >&2
9	exit 1
10	fi
11
12	IDENTITY_REGEXP="^https://github.com/${OWNER}/"
13	ISSUER="https://token.actions.githubusercontent.com"
14
15	echo "verifying signature for ${IMAGE}"
16	cosign verify \
17	--certificate-identity-regexp "${IDENTITY_REGEXP}" \
18	--certificate-oidc-issuer "${ISSUER}" \
19	"${IMAGE}"
20
21	echo "verifying SBOM attestation"
22	cosign verify-attestation \
23	--type spdxjson \
24	--certificate-identity-regexp "${IDENTITY_REGEXP}" \
25	--certificate-oidc-issuer "${ISSUER}" \
26	"${IMAGE}"
27
28	echo "ok: ${IMAGE} is signed and carries a verified SBOM"