securesign
diff --git a/‎README.md‎
Lines changed: 56 additions & 21 deletions b/‎README.md‎
Lines changed: 56 additions & 21 deletions
diff --git a/‎go.mod‎
Lines changed: 60 additions & 5 deletions b/‎go.mod‎
Lines changed: 60 additions & 5 deletions
@@ -1,10 +1,10 @@
 # RHTAS Console
 
-The RHTAS Console is a Go-based RESTful API server, providing functionality for signing and verifying software artifacts using Cosign, interacting with Sigstore's Rekor transparency log, and managing trust configurations with TUF and Fulcio. This repository serves as the backend for the RHTAS Console application, with plans to potentially add a frontend in the future.
+The RHTAS Console is a Go-based RESTful API server, providing functionality for verifying software artifacts, interacting with Sigstore's Rekor transparency log, and managing trust configurations with TUF and Fulcio. This repository serves as the backend for the RHTAS Console application, with plans to potentially add a frontend in the future.
 
 ## Features
 
-- **Artifact management**: Sign and verify artifacts (e.g., container images, files, SBOMs) using Cosign.
+- **Artifact management**: Verify artifacts (e.g., container images, files, SBOMs).
 - **Rekor integration**: Retrieve transparency log entries and public keys from Rekor.
 - **Trust configuration**: Get TUF targets and Fulcio certificate authorities for trust policies.
 - Built with [Chi](https://github.com/go-chi/chi), a lightweight Go router.
@@ -20,7 +20,6 @@ The RHTAS Console is a Go-based RESTful API server, providing functionality for
    ```bash
    oapi-codegen -generate types,chi-server -package models openapi/rhtas-console.yaml > internal/models/models.go
    ```
-- Optional: [rekor-cli](https://docs.sigstore.dev/rekor/installation/) and [cosign](https://docs.sigstore.dev/cosign/installation/) for testing Rekor and Cosign interactions
 
 ### Steps
 
@@ -82,8 +81,7 @@ The backend exposes the following RESTful endpoints, as defined in the OpenAPI s
 | GET    | `/healthz`                                  | Retrieves the current health status of the server. |
 | GET    | `/swagger-ui`                               | Serves the Swagger User Interface. |
 | GET    | `/rhtas-console.yaml`                       | Returns the project OpenAPI spec file. |
-| POST   | `/api/v1/artifacts/sign`                    | Signs an artifact using Cosign.                  |
-| POST   | `/api/v1/artifacts/verify`                  | Verifies an artifact using Cosign.               |
+| POST   | `/api/v1/artifacts/verify`                  | Verifies an artifact.               |
 | GET    | `/api/v1/artifacts/{artifact}/policies`     | Retrieves policies and attestations for an artifact. |
 | GET    | `/api/v1/artifacts/image`                   | Retrieves metadata for a container image by full reference URI. |
 | GET    | `/api/v1/rekor/entries/{uuid}`              | Retrieves a Rekor transparency log entry by UUID. |
@@ -94,32 +92,69 @@ The backend exposes the following RESTful endpoints, as defined in the OpenAPI s
 | GET    | `/api/v1/trust/target`                      | Retrieves a specific TUF target. |
 | GET    | `/api/v1/trust/targets/certificates`        | Retrieves certificates for TUF targets. |
 
-#### Example: Sign an artifact
+#### Example: Verify an artifact
 
-To sign a container image using Cosign (keyless signing with OIDC token):
+To verify an OCI image:
 
+
+- Using `ociImage`:
 ```bash
-curl -X POST http://localhost:8080/api/v1/artifacts/sign \
+curl -X POST http://localhost:8080/api/v1/artifacts/verify \
   -H "Content-Type: application/json" \
   -d '{
-    "artifact": "quay.io/example/app:latest",
-    "artifactType": "container-image",
-    "identityToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
-    "annotations": {"env": "prod"}
+    "ociImage": "ttl.sh/rhtas/test-image:1h",
+    "expectedOIDIssuer": "https://accounts.google.com",
+    "expectedSAN": "[email protected]",
+    "tufRootURL": "https://tuf-repo-cdn.sigstore.dev"
+  }'
+```
+- Using `bundle`:
+```bash
+# bundle.json: the file which contains the bundle
+bundle_json=$(jq -c '.' bundle.json)
+curl -X POST http://localhost:8080/api/v1/artifacts/verify \
+  -H "Content-Type: application/json" \
+  -d '{
+  	"artifactDigest": "e128e0a064433c8d46f0467b149c70052fedbfa1f9e96ac22e3deefdc943e965",
+    "expectedOIDIssuer": "https://accounts.google.com",
+    "expectedSAN": "[email protected]",
+    "tufRootURL": "https://tuf-repo-cdn.sigstore.dev",
+    "bundle": '"$bundle_json"'
   }'
 ```
 
 Response:
 ```json
 {
-  "success": true,
-  "signature": "MEUCIQC...",
-  "certificate": "-----BEGIN CERTIFICATE-----\nMIIBIjANBgkq...\n-----END CERTIFICATE-----",
-  "logEntry": {
-    "uuid": "108e9186e8c5677a249f2ad46ab96976656298b3feb5e031777b9e1fa5c55aaf7e0115bee955ccaa",
-    "integratedTime": 1747816420,
-    "logIndex": 216249784
-  }
+   "details":{
+      "mediaType":"application/vnd.dev.sigstore.verificationresult+json;version=0.1",
+      "signature":{
+         "certificate":{
+            "certificateIssuer":"CN=sigstore-intermediate,O=sigstore.dev",
+            "issuer":"https://accounts.google.com",
+            "subjectAlternativeName":"[email protected]"
+         }
+      },
+      "statement":{
+         
+      },
+      "verifiedIdentity":{
+         "issuer":{
+            "issuer":"https://accounts.google.com"
+         },
+         "subjectAlternativeName":{
+            "subjectAlternativeName":"[email protected]"
+         }
+      },
+      "verifiedTimestamps":[
+         {
+            "timestamp":"2025-10-14T09:05:19+02:00",
+            "type":"Tlog",
+            "uri":"https://rekor.sigstore.dev"
+         }
+      ]
+   },
+   "verified":true
 }
 ```
 
@@ -191,4 +226,4 @@ The `models` package is generated from the OpenAPI specification:
 make generate-openapi
 ```
 
-This generates Go types such as `RekorEntry`, `SignArtifactRequest`, `VerifyArtifactResponse`, and others.
+This generates Go types such as `RekorEntry`, `VerifyArtifactResponse`, and others.
@@ -10,6 +10,8 @@ require (
 	github.com/golang-migrate/migrate/v4 v4.18.3
 	github.com/google/go-containerregistry v0.20.3
 	github.com/oapi-codegen/runtime v1.1.1
+	github.com/sigstore/protobuf-specs v0.4.1
+	github.com/sigstore/sigstore v1.9.4
 	github.com/sigstore/sigstore-go v1.0.0
 	github.com/theupdateframework/go-tuf v0.7.0
 	github.com/theupdateframework/go-tuf/v2 v2.1.1
@@ -18,28 +20,81 @@ require (
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.1 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/google/certificate-transparency-go v1.3.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/in-toto/attestation v1.1.1 // indirect
+	github.com/in-toto/in-toto-golang v0.9.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
-	github.com/sigstore/protobuf-specs v0.4.1 // indirect
-	github.com/sigstore/sigstore v1.9.4 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/sigstore/rekor v1.3.10 // indirect
+	github.com/sigstore/timestamp-authority v1.2.7 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
+	github.com/transparency-dev/merkle v0.0.2 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc // indirect
+	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
 	google.golang.org/grpc v1.73.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
 )
 
 require (