feat(attestation): bundle attestation and verification with security hardening

Add pkg/bundler/attestation (KeylessAttester, NoOpAttester, SLSA statement builder,
ambient + browser OIDC), pkg/bundler/verifier (checksum validation,
Sigstore verification, identity pinning, trust levels), and pkg/trust (TUF
trusted root management for offline verification).

Wire attestation into bundler.Make(), add CLI commands (aicr verify, aicr
trust update, --skip-attestation, --certificate-identity-regexp), and add
cli-e2e action for chainsaw tests with attested binary in CI.

Security hardening from review feedback:
- Require identity on all attestation verification
- Path traversal protection, size limits, context timeouts, nil safety
- Validate identity patterns against domain spoofing
- Implement --min-trust-level max resolution to highest achievable level

Author: lockwobr

.github/actions/cli-e2e/action.yml

@@ -0,0 +1,107 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'CLI E2E Tests'
+description: 'Build attested aicr binary and run CLI chainsaw tests'
+
+inputs:
+  go_version:
+    description: 'Go version (e.g., 1.25)'
+    required: true
+  chainsaw_version:
+    description: 'Chainsaw version (e.g., v0.2.14)'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup Go
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
+      with:
+        go-version: '${{ inputs.go_version }}'
+        cache: true
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+
+    - name: Install GoReleaser
+      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a  # v6.4.0
+      with:
+        install-only: true
+
+    - name: Install Chainsaw
+      shell: bash
+      run: |
+        set -euo pipefail
+        VERSION="${{ inputs.chainsaw_version }}"
+        VERSION="${VERSION#v}"
+        TAR="chainsaw_linux_amd64.tar.gz"
+        URL="https://github.com/kyverno/chainsaw/releases/download/v${VERSION}/${TAR}"
+        TMP="$(mktemp -d)"
+        curl -fsSL -o "${TMP}/${TAR}" "${URL}"
+        tar -xzf "${TMP}/${TAR}" -C "${TMP}"
+        sudo mv "${TMP}/chainsaw" /usr/local/bin/chainsaw
+        sudo chmod +x /usr/local/bin/chainsaw
+        rm -rf "${TMP}"
+
+    - name: Generate SLSA predicate
+      uses: ./.github/actions/generate-slsa-predicate
+      with:
+        workflow_file: qualification.yaml
+
+    - name: Build attested binary
+      shell: bash
+      env:
+        GOFLAGS: -mod=vendor
+      run: |
+        set -euo pipefail
+        goreleaser build --clean --single-target --snapshot --timeout 10m
+
+    - name: Locate binary and detect attestation
+      id: binary
+      shell: bash
+      run: |
+        set -euo pipefail
+        # Find binary (linux/amd64 in CI)
+        AICR_BIN=""
+        for pattern in dist/aicr_linux_amd64_v1/aicr dist/aicr_linux_amd64/aicr; do
+          if [ -x "$pattern" ]; then
+            AICR_BIN="$(pwd)/$pattern"
+            break
+          fi
+        done
+        if [ -z "$AICR_BIN" ]; then
+          echo "::error::Built binary not found in dist/"
+          exit 1
+        fi
+        echo "AICR_BIN=$AICR_BIN" >> "$GITHUB_ENV"
+
+        # Detect attestation
+        ATTEST_FILE="$(dirname "$AICR_BIN")/aicr-attestation.sigstore.json"
+        if [ -f "$ATTEST_FILE" ]; then
+          echo "AICR_ATTESTED=true" >> "$GITHUB_ENV"
+          echo "Binary attestation found: $ATTEST_FILE"
+        else
+          echo "AICR_ATTESTED=false" >> "$GITHUB_ENV"
+          echo "::warning::No binary attestation found (attestation tests will skip)"
+        fi
+
+    - name: Run CLI chainsaw tests
+      shell: bash
+      run: |
+        set -euo pipefail
+        chainsaw test \
+          --no-cluster \
+          --config tests/chainsaw/chainsaw-config.yaml \
+          --test-dir tests/chainsaw/cli/

.github/workflows/build-attested.yaml

@@ -40,7 +40,7 @@ jobs:
   build-and-attest:
     name: Build and Attest Binaries
     runs-on: ubuntu-latest
-    timeout-minutes: 15
+    timeout-minutes: 25
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -76,7 +76,7 @@ jobs:
           GOFLAGS: -mod=vendor
         run: |
           set -euo pipefail
-          goreleaser release --snapshot --clean --skip=publish,ko,sbom --timeout 10m
+          goreleaser release --snapshot --clean --skip=publish,ko,sbom --timeout 20m --single-target
 
       - name: Verify archive contents
         run: |

.github/workflows/on-push.yaml

@@ -47,6 +47,7 @@ jobs:
     permissions:
       actions: read
       contents: read
+      id-token: write
       security-events: write
     with:
       coverage_report: true

.github/workflows/on-tag.yaml

@@ -40,6 +40,7 @@ jobs:
     permissions:
       actions: read
       contents: read
+      id-token: write
       security-events: write
 
   # =============================================================================

.github/workflows/qualification.yaml

@@ -103,6 +103,30 @@ jobs:
           go_version: ${{ steps.versions.outputs.go }}
           chainsaw_version: ${{ steps.versions.outputs.chainsaw }}
 
+  cli-e2e:
+    name: CLI E2E
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Load versions
+        id: versions
+        uses: ./.github/actions/load-versions
+
+      - name: Run CLI E2E Tests
+        uses: ./.github/actions/cli-e2e
+        with:
+          go_version: ${{ steps.versions.outputs.go }}
+          chainsaw_version: ${{ steps.versions.outputs.chainsaw }}
+
   e2e:
     name: E2E
     runs-on: ubuntu-latest

DEVELOPMENT.md

@@ -560,6 +560,17 @@ To produce attested binaries without a release tag, use the **Build Attested Bin
 workflow (`.github/workflows/build-attested.yaml`) from the Actions tab. It runs
 `goreleaser release --snapshot` with cosign and uploads tar.gz archives as artifacts.
 
+#### Bundle Attestation
+
+`aicr bundle` attests bundles by default using Sigstore keyless OIDC signing:
+
+- **GitHub Actions**: Uses the ambient OIDC token automatically (requires `id-token: write`)
+- **Local**: Opens a browser for Sigstore OIDC authentication (GitHub, Google, or Microsoft)
+- **Skip**: Use `--skip-attestation` to disable signing for local development
+
+Verify a bundle with `aicr verify <dir>`. Update the trusted root cache with
+`aicr trust update` (run automatically by the install script).
+
 ### Local Development
 
 | Target | Description |

Makefile

@@ -149,6 +149,11 @@ license: ## Add/verify license headers in source files
 	@echo "Ensuring license headers..."
 	@addlicense -f .github/headers/LICENSE $(LICENSE_IGNORES) .
 
+license-check: ## Check license is approved
+	@echo "Checking license headers..."
+	go-licenses check ./... \
+        --allowed_licenses=Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,MIT,MPL-2.0
+
 .PHONY: test
 test: ## Runs unit tests with race detector and coverage (use -short to skip integration tests)
 	@set -e; \
@@ -191,7 +196,7 @@ scan: ## Scans for vulnerabilities with grype
 	grype dir:. --config .grype.yaml --fail-on high --quiet
 
 .PHONY: qualify
-qualify: test-coverage lint e2e scan ## Qualifies the codebase (test-coverage, lint, e2e, scan)
+qualify: test-coverage lint e2e scan license-check ## Qualifies the codebase (test-coverage, lint, e2e, scan)
 	@echo "Codebase qualification completed"
 
 .PHONY: server

SECURITY.md

@@ -169,6 +169,67 @@ The install script (`./install`) performs this verification automatically when
 (`.github/workflows/build-attested.yaml`) can be triggered manually from the
 Actions tab to produce attested binaries from any branch without cutting a release.
 
+### Bundle Attestation
+
+When `aicr bundle` runs, it attests the bundle using Sigstore keyless OIDC signing.
+The attestation binds the bundle creator's identity to the bundle content (via
+`checksums.txt`) and the binary that produced it (via `resolvedDependencies`).
+
+The bundle output includes:
+- `bundle-attestation.sigstore.json` — SLSA Build Provenance v1 for the bundle
+- `aicr-attestation.sigstore.json` — copy of the binary's attestation (provenance chain)
+
+Use `--skip-attestation` to skip signing (e.g., for local development).
+
+**Verify a bundle:**
+
+```shell
+aicr verify ./my-bundle
+```
+
+This verifies:
+1. Checksums — all content files match `checksums.txt`
+2. Bundle attestation — cryptographic signature verified against Sigstore trusted root
+3. Binary attestation — provenance chain verified with identity pinned to NVIDIA CI
+
+**Trust levels:**
+
+| Level | Name | Criteria |
+|-------|------|----------|
+| 4 | `verified` | Full chain verified, binary identity pinned to NVIDIA CI |
+| 3 | `attested` | Chain verified but binary attestation missing or external data used |
+| 2 | `unverified` | Checksums valid, `--skip-attestation` was used |
+| 1 | `unknown` | Missing checksums or attestation files |
+
+**Enforce a minimum trust level:**
+
+```shell
+aicr verify ./my-bundle --min-trust-level verified
+```
+
+### Trusted Root Management
+
+Bundle verification uses a Sigstore trusted root to validate attestation signatures
+offline. The trusted root contains CA certificates and Rekor public keys.
+
+**Three layers of trust resolution (in priority order):**
+
+1. **TUF cache** (`~/.sigstore/root/`) — updated by `aicr trust update`
+2. **Embedded TUF root** — compiled into the binary, used to bootstrap
+3. **TUF update** — `aicr trust update` contacts the Sigstore TUF CDN
+
+Verification never contacts the network — it uses the cache or embedded root.
+The install script runs `aicr trust update` automatically after installation.
+
+**Update the trusted root:**
+
+```shell
+aicr trust update
+```
+
+Run this when Sigstore rotates their keys (a few times per year) or if
+verification reports a stale root.
+
 ### Setup
 
 Export variables for the image you want to verify:

install

@@ -287,13 +287,21 @@ main() {
       sudo mv "${temp_dir}/${BIN_NAME}-attestation.sigstore.json" "${INSTALL_DIR}/${BIN_NAME}-attestation.sigstore.json"
   fi
 
-  # Summary
-  msg ""
-  ok "$BIN_NAME installed successfully!"
-  msg "  $("${BIN_NAME}" --version)"
-  if [[ -f "${INSTALL_DIR}/${BIN_NAME}-attestation.sigstore.json" ]]; then
-    ok "Attestation bundle saved for audit/compliance"
-    info "${INSTALL_DIR}/${BIN_NAME}-attestation.sigstore.json"
+  # Verify installation
+  msg "$BIN_NAME installed successfully!"
+  "${BIN_NAME}" --version
+  [[ -f "${INSTALL_DIR}/${BIN_NAME}-attestation.sigstore.json" ]] && \
+    msg "Attestation: ${INSTALL_DIR}/${BIN_NAME}-attestation.sigstore.json"
+
+  # Fetch latest Sigstore trusted root for offline verification.
+  # The trusted root enables 'aicr verify' to check attestation signatures
+  # without contacting Sigstore infrastructure. If this fails (e.g., no network),
+  # verification still works using the embedded TUF root compiled into the binary.
+  msg "Updating Sigstore trusted root..."
+  if ! "${BIN_NAME}" trust update 2>/dev/null; then
+    msg "Warning: could not fetch latest trusted root (network may be unavailable)"
+    msg "  Verification will use the embedded root. To update later, run:"
+    msg "    ${BIN_NAME} trust update"
   fi
 }
 

pkg/bundler/attestation/attestation.go

@@ -0,0 +1,58 @@
+// Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package attestation
+
+import "context"
+
+// Attester signs bundle content and returns a Sigstore bundle.
+type Attester interface {
+	// Attest creates a DSSE-signed in-toto SLSA provenance statement for the
+	// given subject, returning a serialized Sigstore bundle (.sigstore.json).
+	// Returns nil bytes when attestation is not performed (e.g., NoOpAttester).
+	Attest(ctx context.Context, subject AttestSubject) ([]byte, error)
+
+	// Identity returns the attester's identity as it appears in the signing
+	// certificate or key reference (e.g., OIDC email, KMS key URI).
+	// Returns empty string when no identity is available.
+	Identity() string
+
+	// HasRekorEntry reports whether produced attestations include a Rekor
+	// transparency log inclusion proof.
+	HasRekorEntry() bool
+}
+
+// AttestSubject describes what is being attested.
+type AttestSubject struct {
+	// Name is the artifact name (e.g., "checksums.txt").
+	Name string
+
+	// Digest maps algorithm to hex-encoded digest (e.g., {"sha256": "abc123..."}).
+	Digest map[string]string
+
+	// ResolvedDependencies records build inputs in SLSA resolvedDependencies format.
+	ResolvedDependencies []Dependency
+
+	// Metadata provides build context for the SLSA predicate.
+	Metadata StatementMetadata
+}
+
+// Dependency records an input artifact in SLSA resolvedDependencies.
+type Dependency struct {
+	// URI identifies the dependency (e.g., GitHub release URL or file:// URI).
+	URI string
+
+	// Digest maps algorithm to hex-encoded digest.
+	Digest map[string]string
+}