feat: verify claims in provenance match the certificate (#572)

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>

.golangci.yml

@@ -21,7 +21,6 @@ linters:
   disable-all: true
   enable:
     - asciicheck
-    - deadcode
     - depguard
     - dogsled
     # TODO(https://github.com/slsa-framework/slsa-verifier/issues/363): Restore linter

Makefile

@@ -30,7 +30,7 @@ unit-test: ## Runs all unit tests.
 regression-test: ## Runs all regression and unit tests.
 	go mod vendor
 	# NOTE: go test builds packages even if there are no tests.
-	go test -mod=vendor -tags=regression -v -timeout=20m ./...
+	go test -mod=vendor -tags=regression -v -timeout=25m ./...
 
 ## Linters
 #####################################################################

errors/errors.go

@@ -12,12 +12,15 @@ var (
 	ErrorMismatchSource            = errors.New("source used to generate the binary does not match provenance")
 	ErrorMismatchWorkflowInputs    = errors.New("workflow input does not match")
 	ErrorMalformedURI              = errors.New("URI is malformed")
+	ErrorMismatchCertificate       = errors.New("certificate and provenance mismatch")
+	ErrorInvalidCertificate        = errors.New("invalid certificate")
 	ErrorMismatchTag               = errors.New("tag used to generate the binary does not match provenance")
 	ErrorInvalidRecipe             = errors.New("the recipe is invalid")
 	ErrorMismatchVersionedTag      = errors.New("tag used to generate the binary does not match provenance")
 	ErrorInvalidSemver             = errors.New("invalid semantic version")
 	ErrorRekorSearch               = errors.New("error searching rekor entries")
 	ErrorMismatchHash              = errors.New("artifact hash does not match provenance subject")
+	ErrorNonVerifiableClaim        = errors.New("provenance claim cannot be verified")
 	ErrorMismatchIntoto            = errors.New("verified intoto provenance does not match text provenance")
 	ErrorInvalidRef                = errors.New("invalid ref")
 	ErrorUntrustedReusableWorkflow = errors.New("untrusted reusable workflow")

go.mod

@@ -147,7 +147,7 @@ require (
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/sigstore/fulcio v1.2.0 // indirect
+	github.com/sigstore/fulcio v1.2.0
 	github.com/sigstore/protobuf-specs v0.1.1-0.20230503063121-91485b44360d
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect