feat(cli): add attestation bundle and verify

Author: lockwobr

.github/actions/cli-e2e/action.yml

@@ -0,0 +1,107 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'CLI E2E Tests'
+description: 'Build attested aicr binary and run CLI chainsaw tests'
+
+inputs:
+  go_version:
+    description: 'Go version (e.g., 1.25)'
+    required: true
+  chainsaw_version:
+    description: 'Chainsaw version (e.g., v0.2.14)'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup Go
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
+      with:
+        go-version: '${{ inputs.go_version }}'
+        cache: true
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+
+    - name: Install GoReleaser
+      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a  # v6.4.0
+      with:
+        install-only: true
+
+    - name: Install Chainsaw
+      shell: bash
+      run: |
+        set -euo pipefail
+        VERSION="${{ inputs.chainsaw_version }}"
+        VERSION="${VERSION#v}"
+        TAR="chainsaw_linux_amd64.tar.gz"
+        URL="https://github.com/kyverno/chainsaw/releases/download/v${VERSION}/${TAR}"
+        TMP="$(mktemp -d)"
+        curl -fsSL -o "${TMP}/${TAR}" "${URL}"
+        tar -xzf "${TMP}/${TAR}" -C "${TMP}"
+        sudo mv "${TMP}/chainsaw" /usr/local/bin/chainsaw
+        sudo chmod +x /usr/local/bin/chainsaw
+        rm -rf "${TMP}"
+
+    - name: Generate SLSA predicate
+      uses: ./.github/actions/generate-slsa-predicate
+      with:
+        workflow_file: qualification.yaml
+
+    - name: Build attested binary
+      shell: bash
+      env:
+        GOFLAGS: -mod=vendor
+      run: |
+        set -euo pipefail
+        goreleaser build --clean --single-target --snapshot --timeout 10m
+
+    - name: Locate binary and detect attestation
+      id: binary
+      shell: bash
+      run: |
+        set -euo pipefail
+        # Find binary (linux/amd64 in CI)
+        AICR_BIN=""
+        for pattern in dist/aicr_linux_amd64_v1/aicr dist/aicr_linux_amd64/aicr; do
+          if [ -x "$pattern" ]; then
+            AICR_BIN="$(pwd)/$pattern"
+            break
+          fi
+        done
+        if [ -z "$AICR_BIN" ]; then
+          echo "::error::Built binary not found in dist/"
+          exit 1
+        fi
+        echo "AICR_BIN=$AICR_BIN" >> "$GITHUB_ENV"
+
+        # Detect attestation
+        ATTEST_FILE="$(dirname "$AICR_BIN")/aicr-attestation.sigstore.json"
+        if [ -f "$ATTEST_FILE" ]; then
+          echo "AICR_ATTESTED=true" >> "$GITHUB_ENV"
+          echo "Binary attestation found: $ATTEST_FILE"
+        else
+          echo "AICR_ATTESTED=false" >> "$GITHUB_ENV"
+          echo "::warning::No binary attestation found (attestation tests will skip)"
+        fi
+
+    - name: Run CLI chainsaw tests
+      shell: bash
+      run: |
+        set -euo pipefail
+        chainsaw test \
+          --no-cluster \
+          --config tests/chainsaw/chainsaw-config.yaml \
+          --test-dir tests/chainsaw/cli/

.github/workflows/qualification.yaml

@@ -103,6 +103,30 @@ jobs:
           go_version: ${{ steps.versions.outputs.go }}
           chainsaw_version: ${{ steps.versions.outputs.chainsaw }}
 
+  cli-e2e:
+    name: CLI E2E
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Load versions
+        id: versions
+        uses: ./.github/actions/load-versions
+
+      - name: Run CLI E2E Tests
+        uses: ./.github/actions/cli-e2e
+        with:
+          go_version: ${{ steps.versions.outputs.go }}
+          chainsaw_version: ${{ steps.versions.outputs.chainsaw }}
+
   e2e:
     name: E2E
     runs-on: ubuntu-latest

DEVELOPMENT.md

@@ -560,6 +560,17 @@ To produce attested binaries without a release tag, use the **Build Attested Bin
 workflow (`.github/workflows/build-attested.yaml`) from the Actions tab. It runs
 `goreleaser release --snapshot` with cosign and uploads tar.gz archives as artifacts.
 
+#### Bundle Attestation
+
+`aicr bundle` attests bundles by default using Sigstore keyless OIDC signing:
+
+- **GitHub Actions**: Uses the ambient OIDC token automatically (requires `id-token: write`)
+- **Local**: Opens a browser for Sigstore OIDC authentication (GitHub, Google, or Microsoft)
+- **Skip**: Use `--skip-attestation` to disable signing for local development
+
+Verify a bundle with `aicr verify <dir>`. Update the trusted root cache with
+`aicr trust update` (run automatically by the install script).
+
 ### Local Development
 
 | Target | Description |

Makefile

@@ -146,6 +146,11 @@ license: ## Add/verify license headers in source files
 	@echo "Ensuring license headers..."
 	@addlicense -f .github/headers/LICENSE $(LICENSE_IGNORES) .
 
+license-check: ## Check license is approved
+	@echo "Checking license headers..."
+	go-licenses check ./... \
+        --allowed_licenses=Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,MIT,MPL-2.0
+
 .PHONY: test
 test: ## Runs unit tests with race detector and coverage (use -short to skip integration tests)
 	@set -e; \
@@ -188,7 +193,7 @@ scan: ## Scans for vulnerabilities with grype
 	grype dir:. --config .grype.yaml --fail-on high --quiet
 
 .PHONY: qualify
-qualify: test-coverage lint e2e scan ## Qualifies the codebase (test-coverage, lint, e2e, scan)
+qualify: test-coverage lint e2e scan license-check ## Qualifies the codebase (test-coverage, lint, e2e, scan)
 	@echo "Codebase qualification completed"
 
 .PHONY: server

SECURITY.md

@@ -169,6 +169,67 @@ The install script (`./install`) performs this verification automatically when
 (`.github/workflows/build-attested.yaml`) can be triggered manually from the
 Actions tab to produce attested binaries from any branch without cutting a release.
 
+### Bundle Attestation
+
+When `aicr bundle` runs, it attests the bundle using Sigstore keyless OIDC signing.
+The attestation binds the bundle creator's identity to the bundle content (via
+`checksums.txt`) and the binary that produced it (via `resolvedDependencies`).
+
+The bundle output includes:
+- `bundle-attestation.sigstore.json` — SLSA Build Provenance v1 for the bundle
+- `aicr-attestation.sigstore.json` — copy of the binary's attestation (provenance chain)
+
+Use `--skip-attestation` to skip signing (e.g., for local development).
+
+**Verify a bundle:**
+
+```shell
+aicr verify ./my-bundle
+```
+
+This verifies:
+1. Checksums — all content files match `checksums.txt`
+2. Bundle attestation — cryptographic signature verified against Sigstore trusted root
+3. Binary attestation — provenance chain verified with identity pinned to NVIDIA CI
+
+**Trust levels:**
+
+| Level | Name | Criteria |
+|-------|------|----------|
+| 4 | `verified` | Full chain verified, binary identity pinned to NVIDIA CI |
+| 3 | `attested` | Chain verified but binary attestation missing or external data used |
+| 2 | `unverified` | Checksums valid, `--skip-attestation` was used |
+| 1 | `unknown` | Missing checksums or attestation files |
+
+**Enforce a minimum trust level:**
+
+```shell
+aicr verify ./my-bundle --min-trust-level verified
+```
+
+### Trusted Root Management
+
+Bundle verification uses a Sigstore trusted root to validate attestation signatures
+offline. The trusted root contains CA certificates and Rekor public keys.
+
+**Three layers of trust resolution (in priority order):**
+
+1. **TUF cache** (`~/.sigstore/root/`) — updated by `aicr trust update`
+2. **Embedded TUF root** — compiled into the binary, used to bootstrap
+3. **TUF update** — `aicr trust update` contacts the Sigstore TUF CDN
+
+Verification never contacts the network — it uses the cache or embedded root.
+The install script runs `aicr trust update` automatically after installation.
+
+**Update the trusted root:**
+
+```shell
+aicr trust update
+```
+
+Run this when Sigstore rotates their keys (a few times per year) or if
+verification reports a stale root.
+
 ### Setup
 
 Export variables for the image you want to verify:

go.mod

@@ -109,17 +109,13 @@ require (
 	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.4 // indirect
-	github.com/klauspost/compress v1.18.1 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lib/pq v1.11.2 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.20 // indirect
-	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect

go.sum

@@ -341,8 +341,6 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
 github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
-github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
-github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -576,20 +574,12 @@ go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF
 go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
 go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
 go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
 go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs=
 go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo=
 go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
 go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
 go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
 go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.step.sm/crypto v0.74.0 h1:/APBEv45yYR4qQFg47HA8w1nesIGcxh44pGyQNw6JRA=

install

@@ -263,6 +263,17 @@ main() {
   "${BIN_NAME}" --version
   [[ -f "${INSTALL_DIR}/${BIN_NAME}-attestation.sigstore.json" ]] && \
     msg "Attestation: ${INSTALL_DIR}/${BIN_NAME}-attestation.sigstore.json"
+
+  # Fetch latest Sigstore trusted root for offline verification.
+  # The trusted root enables 'aicr verify' to check attestation signatures
+  # without contacting Sigstore infrastructure. If this fails (e.g., no network),
+  # verification still works using the embedded TUF root compiled into the binary.
+  msg "Updating Sigstore trusted root..."
+  if ! "${BIN_NAME}" trust update 2>/dev/null; then
+    msg "Warning: could not fetch latest trusted root (network may be unavailable)"
+    msg "  Verification will use the embedded root. To update later, run:"
+    msg "    ${BIN_NAME} trust update"
+  fi
 }
 
 # Run main function

pkg/bundler/attestation/binary.go

@@ -0,0 +1,68 @@
+// Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package attestation
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/NVIDIA/aicr/pkg/errors"
+)
+
+// AttestationFileSuffix is the conventional suffix for attestation files.
+const AttestationFileSuffix = "-attestation.sigstore.json"
+
+// BundleAttestationFile is the filename for the bundle attestation in the output directory.
+const BundleAttestationFile = "bundle-attestation.sigstore.json"
+
+// BinaryAttestationFile is the filename for the binary attestation copied into the bundle.
+const BinaryAttestationFile = "aicr-attestation.sigstore.json"
+
+// FindBinaryAttestation locates the attestation file for a binary at the
+// conventional path: <binary-path>-attestation.sigstore.json.
+// Returns the attestation file path.
+func FindBinaryAttestation(binaryPath string) (string, error) {
+	// Convention: attestation file is named <binary-name>-attestation.sigstore.json
+	// in the same directory as the binary.
+	dir := filepath.Dir(binaryPath)
+	base := filepath.Base(binaryPath)
+	attestPath := filepath.Join(dir, base+AttestationFileSuffix)
+
+	if _, err := os.Stat(attestPath); err != nil {
+		if os.IsNotExist(err) {
+			return "", errors.New(errors.ErrCodeNotFound,
+				fmt.Sprintf("binary attestation not found: %s", attestPath))
+		}
+		return "", errors.Wrap(errors.ErrCodeInternal,
+			fmt.Sprintf("cannot access binary attestation: %s", attestPath), err)
+	}
+
+	return attestPath, nil
+}
+
+// ComputeFileDigest reads a file and returns its SHA256 hex digest.
+func ComputeFileDigest(path string) (string, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return "", errors.Wrap(errors.ErrCodeInternal,
+			fmt.Sprintf("failed to read file for digest: %s", path), err)
+	}
+
+	hash := sha256.Sum256(data)
+	return hex.EncodeToString(hash[:]), nil
+}