[Enhancement] - Verify local provenance #1158
Description
Attestation files provided by the user in the command line are not checked for their verified status. Currently, Macaron relies on the information provided by third party services such as GitHub, deps.dev, npm, etc. for verifying provenances while retrieving them, which cannot be applied for local instances. Unfortunately, the APIs available on GitHub and Sigstore Rekor do not provide a simple method of verifying provenance. Therefore, to properly support local attestation, Macaron must have its own method of verifying them.
Verification should support the following build types in provenances:
- SLSA GitHub Generic (v0.1): https://github.com/slsa-framework/slsa-github-generator/generic@v1
- SLSA GitHub Actions (v1.0): https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1
- SLSA npm CLI (v2.0): https://github.com/npm/cli/gha/v2
- SLSA Oracle Cloud Infrastructure (v1.0): https://github.com/oracle/macaron/tree/main/src/macaron/resources/provenance-buildtypes/oci/v1
- Witness GitLab (v0.1): https://witness.testifysec.com/attestation-collection/v0.1