Description
Consider the case where you have a series of artifacts with a single attestation bundle produced by actions/attest-build-provenance, respectively actions/attest.
Example:
-
Just sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x64.tgz fails, logically:
sigstore: error: Missing verification materials for pdfium-linux-x64.tgz: pdfium-linux-x64.tgz.sigstore.json
-
When passing the right bundle, it works:
sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x64.tgz --bundle pdfium-7906-attestation.json
OK: pdfium-linux-x64.tgz
-
When adding another artifact, however:
sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x64.tgz pdfium-linux-x86.tgz --bundle pdfium-7906-attestation.json
sigstore: error: --certificate, --signature, or --bundle can only be used with a single input file or digest
Help says not used with multiple inputs (default: None)
-
Note that verifying pdfium-linux-x86.tgz individually with the same bundle again works:
sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x86.tgz --bundle pdfium-7906-attestation.json
OK: pdfium-linux-x86.tgz
Sure, one could loop on the caller side, but that's neither particularly ergonomic nor efficient.
Why not support verifying multiple artifacts in one go when they share one attestations bundle?
Thanks.
Description
Consider the case where you have a series of artifacts with a single attestation bundle produced by
actions/attest-build-provenance, respectivelyactions/attest.Example:
Just
sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x64.tgzfails, logically:sigstore: error: Missing verification materials for pdfium-linux-x64.tgz: pdfium-linux-x64.tgz.sigstore.jsonWhen passing the right bundle, it works:
sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x64.tgz --bundle pdfium-7906-attestation.jsonOK: pdfium-linux-x64.tgzWhen adding another artifact, however:
sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x64.tgz pdfium-linux-x86.tgz --bundle pdfium-7906-attestation.jsonsigstore: error: --certificate, --signature, or --bundle can only be used with a single input file or digestHelp says
not used with multiple inputs (default: None)Note that verifying
pdfium-linux-x86.tgzindividually with the same bundle again works:sigstore verify github --repository bblanchon/pdfium-binaries pdfium-linux-x86.tgz --bundle pdfium-7906-attestation.jsonOK: pdfium-linux-x86.tgzSure, one could loop on the caller side, but that's neither particularly ergonomic nor efficient.
Why not support verifying multiple artifacts in one go when they share one attestations bundle?
Thanks.