Print in-toto statement when verifying DSSE (#1116)

Co-authored-by: William Woodruff <[email protected]>
sigstore · Sep 10, 2024 · 1755bcc · 1755bcc
1 parent bbec9a9
commit 1755bcc
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,14 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+### Added
+
+* CLI: The `sigstore verify` command now outputs the inner in-toto statement
+  when verifying DSSE envelopes. If verification is successful, the output
+  will be the inner in-toto statement. This allows the user to see the
+  statement's predicate, which `sigstore-python` does not verify and should be
+  verified by the user.
+
 ## [3.2.0]
 
 ### Added

diff --git a/sigstore/_cli.py b/sigstore/_cli.py
@@ -811,8 +811,10 @@ def _verify_identity(args: argparse.Namespace) -> None:
         )
 
         try:
-            _verify_common(verifier, hashed, bundle, policy_)
-            print(f"OK: {file}")
+            statement = _verify_common(verifier, hashed, bundle, policy_)
+            print(f"OK: {file}", file=sys.stderr)
+            if statement is not None:
+                print(statement._contents.decode())
         except Error as exc:
             _logger.error(f"FAIL: {file}")
             exc.log_and_exit(_logger, args.verbose >= 1)
@@ -857,8 +859,10 @@ def _verify_github(args: argparse.Namespace) -> None:
     verifier, materials = _collect_verification_state(args)
     for file, hashed, bundle in materials:
         try:
-            _verify_common(verifier, hashed, bundle, policy_)
-            print(f"OK: {file}")
+            statement = _verify_common(verifier, hashed, bundle, policy_)
+            print(f"OK: {file}", file=sys.stderr)
+            if statement is not None:
+                print(statement._contents)
         except Error as exc:
             _logger.error(f"FAIL: {file}")
             exc.log_and_exit(_logger, args.verbose >= 1)
@@ -869,12 +873,14 @@ def _verify_common(
     hashed: Hashed,
     bundle: Bundle,
     policy_: policy.VerificationPolicy,
-) -> None:
+) -> dsse.Statement | None:
     """
     Common verification handling.
 
     This dispatches to either artifact or DSSE verification, depending on
     `bundle`'s inner type.
+    If verifying a DSSE envelope, return the wrapped in-toto statement if
+    verification succeeds
     """
 
     # If the bundle specifies a DSSE envelope, perform DSSE verification
@@ -890,12 +896,14 @@ def _verify_common(
             raise VerificationError(
                 f"in-toto statement has no subject for digest {hashed.digest.hex()}"
             )
+        return stmt
     else:
         verifier.verify_artifact(
             input_=hashed,
             bundle=bundle,
             policy=policy_,
         )
+        return None
 
 
 def _get_identity(args: argparse.Namespace) -> Optional[IdentityToken]: