diff --git a/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java b/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java index 08505e77..7ce21bb7 100644 --- a/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java +++ b/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java @@ -38,6 +38,7 @@ import java.security.cert.CertPath; import java.util.Base64; import java.util.concurrent.Callable; +import org.apache.commons.codec.binary.Hex; import picocli.CommandLine.ArgGroup; import picocli.CommandLine.Command; import picocli.CommandLine.Option; @@ -48,8 +49,14 @@ aliases = {"verify-bundle"}, description = "verify an artifact") public class Verify implements Callable { - @Parameters(arity = "1", paramLabel = "", description = "artifact to verify") - Path artifact; + + private static final String SHA256_PREFIX = "sha256:"; + + @Parameters( + arity = "1", + paramLabel = "", + description = "an artifact path or artifact hash (sha256:abc...) to verify") + String artifact; @ArgGroup(multiplicity = "1", exclusive = true) SignatureFiles signatureFiles; @@ -107,7 +114,10 @@ static class Policy { @Override public Integer call() throws Exception { - byte[] digest = asByteSource(artifact.toFile()).hash(Hashing.sha256()).asBytes(); + byte[] digest = + artifact.startsWith(SHA256_PREFIX) + ? Hex.decodeHex(artifact.substring(SHA256_PREFIX.length())) + : asByteSource(Path.of(artifact).toFile()).hash(Hashing.sha256()).asBytes(); Bundle bundle; if (signatureFiles.sigAndCert != null) { @@ -178,7 +188,11 @@ public Integer call() throws Exception { } else { throw new IllegalStateException("Unable to initialize verifier"); } - verifier.verify(artifact, bundle, verificationOptions); + if (artifact.startsWith(SHA256_PREFIX)) { + verifier.verify(digest, bundle, verificationOptions); + } else { + verifier.verify(Path.of(artifact), bundle, verificationOptions); + } return 0; } }