Skip to content

Support verifying multiple artifacts in one go when they share a single attestations bundle? #1814

Description

@mara004

Description

Consider the case where you have a series of artifacts with a single attestation bundle produced by actions/attest-build-provenance, respectively actions/attest.


Example:

  • Just sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x64.tgz fails, logically:
    sigstore: error: Missing verification materials for pdfium-linux-x64.tgz: pdfium-linux-x64.tgz.sigstore.json

  • When passing the right bundle, it works:
    sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x64.tgz --bundle pdfium-7906-attestation.json
    OK: pdfium-linux-x64.tgz

  • When adding another artifact, however:
    sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x64.tgz pdfium-linux-x86.tgz --bundle pdfium-7906-attestation.json
    sigstore: error: --certificate, --signature, or --bundle can only be used with a single input file or digest
    Help says not used with multiple inputs (default: None)

  • Note that verifying pdfium-linux-x86.tgz individually with the same bundle again works:
    sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x86.tgz --bundle pdfium-7906-attestation.json
    OK: pdfium-linux-x86.tgz


Sure, one could loop on the caller side, but that's neither particularly ergonomic nor efficient.
Why not support verifying multiple artifacts in one go when they share one attestations bundle?

Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions