Skip to content

feat: support digest arguments in verify-artifact command#877

Open
suzuki-shunsuke wants to merge 2 commits into
slsa-framework:mainfrom
szksh-lab-2:feat/verify-artifact-digest-support
Open

feat: support digest arguments in verify-artifact command#877
suzuki-shunsuke wants to merge 2 commits into
slsa-framework:mainfrom
szksh-lab-2:feat/verify-artifact-digest-support

Conversation

@suzuki-shunsuke
Copy link
Copy Markdown
Contributor

@suzuki-shunsuke suzuki-shunsuke commented Jan 11, 2026
edited
Loading

Fixes #876

Allow verify-artifact to accept sha256:xxx or sha512:xxx digest strings as positional arguments instead of file paths. This enables verification without downloading large artifacts when only the digest is known.

Test

Example: pinact_darwin_amd64.tar.gz (sha256:4f658c9258ba261019114afcf8cbc155ce1b9a1157d17cb1fc2e0a48d962d1d7) GitHub Release

Before: digest isn't supported.

$ slsa-verifier verify-artifact sha256:4f658c9258ba261019114afcf8cbc155ce1b9a1157d17cb1fc2e0a48d962d1d7 \         
  --provenance-path multiple.intoto.jsonl \
  --source-uri github.com/suzuki-shunsuke/pinact \
  --source-tag "v3.8.0"
Verifying artifact sha256:4f658c9258ba261019114afcf8cbc155ce1b9a1157d17cb1fc2e0a48d962d1d7: FAILED: open sha256:4f658c9258ba261019114afcf8cbc155ce1b9a1157d17cb1fc2e0a48d962d1d7: no such file or directory

FAILED: SLSA verification failed: open sha256:4f658c9258ba261019114afcf8cbc155ce1b9a1157d17cb1fc2e0a48d962d1d7: no such file or directory

After: digest is supported.

$ slsa-verifier verify-artifact sha256:4f658c9258ba261019114afcf8cbc155ce1b9a1157d17cb1fc2e0a48d962d1d7 \
  --provenance-path multiple.intoto.jsonl \
  --source-uri github.com/suzuki-shunsuke/pinact \
  --source-tag "v3.8.0"
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.1.0" at commit 5caad4c2e4c0e339aabe292b139313ace227dae8
Verifying artifact sha256:4f658c9258ba261019114afcf8cbc155ce1b9a1157d17cb1fc2e0a48d962d1d7: PASSED

PASSED: SLSA verification passed

@suzuki-shunsuke @claude
feat: support digest arguments in verify-artifact command
cabfb83 
Allow verify-artifact to accept sha256:xxx or sha512:xxx digest strings
as positional arguments instead of file paths. This enables verification
without downloading large artifacts when only the digest is known.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
@suzuki-shunsuke suzuki-shunsuke force-pushed the feat/verify-artifact-digest-support branch from 24b7a1e to cabfb83 Compare January 11, 2026 04:47
@suzuki-shunsuke suzuki-shunsuke mentioned this pull request Jan 11, 2026
Open
@suzuki-shunsuke
Copy link
Copy Markdown
Contributor Author

suzuki-shunsuke commented Jan 11, 2026 

  Running [/home/runner/golangci-lint-1.61.0-linux-amd64/golangci-lint run] in [/home/runner/work/slsa-verifier/slsa-verifier] ...
  Error: cli/slsa-verifier/verify/utils.go:58:2: importShadow: shadow of imported package 'hash' (gocritic)
  	hash := parts[1]
  	^

@suzuki-shunsuke
Copy link
Copy Markdown
Contributor Author

suzuki-shunsuke commented Jan 11, 2026

BTW, golangci-lint is old.
The latest is v2.8.0.

https://github.com/golangci/golangci-lint/releases
https://github.com/golangci/golangci-lint/releases/tag/v1.61.0

@suzuki-shunsuke
refactor: fix a lint error
7c52ca7 
```
  Running [/home/runner/golangci-lint-1.61.0-linux-amd64/golangci-lint run] in [/home/runner/work/slsa-verifier/slsa-verifier] ...
  Error: cli/slsa-verifier/verify/utils.go:58:2: importShadow: shadow of imported package 'hash' (gocritic)
  	hash := parts[1]
  	^
```

Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
@suzuki-shunsuke suzuki-shunsuke marked this pull request as ready for review January 11, 2026 05:52
@suzuki-shunsuke suzuki-shunsuke requested a review from a team January 11, 2026 05:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support digest arguments (sha256:xxx, sha512:xxx) in verify-artifact command

1 participant

@suzuki-shunsuke