verify artifacts. Take an artifact or hash and a set of mandatory metadata (source repo)
verify packages. Take an artifact or hash and a set of mandatory metadata (source repo, package URI, etc).
Optionally can download the package automatically (from GH release, package registry, etc)
Allow specifying the type of attestation to trust (VSA, publish attestation, provenance)
verify attestation alone. Take as input an attestation and a set of metadata to match against the attestation
For all the above, I think we want an inspect counterpart, which verifies signature and extract metadata and exposes it to caller. In effect, this will output a list, where each entry contains metadata about claims found in attestation entry = { build = {source {repository=bla, ref=bla}, builder = {id = bla}} }. Inspect APIs will be useful for folks who want to enforce certain policies of their own but do not know yet what that policy might be, eg when monitoring SLSA provenance for open-source packages - use of TOFU, etc
Verify commands will simply wrap inspect commands and enforce the "policy" (ie required metadata) during verification.
For all the above, I think we want an inspect counterpart, which verifies signature and extract metadata and exposes it to caller. In effect, this will output a list, where each entry contains metadata about claims found in attestation
entry = { build = {source {repository=bla, ref=bla}, builder = {id = bla}} }. Inspect APIs will be useful for folks who want to enforce certain policies of their own but do not know yet what that policy might be, eg when monitoring SLSA provenance for open-source packages - use of TOFU, etcVerify commands will simply wrap inspect commands and enforce the "policy" (ie required metadata) during verification.
@ramonpetgrave64