feat(cli): Verify attestations with local certificate and chain (#982)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

app/cli/cmd/workflow_workflow_run_describe.go

@@ -39,17 +39,21 @@ const formatAttestation = "attestation"
 const formatPayloadPAE = "payload-pae"
 
 func newWorkflowWorkflowRunDescribeCmd() *cobra.Command {
-	var runID, attestationDigest, publicKey string
-	var verifyAttestation bool
+	var (
+		runID, attestationDigest, publicKey string
+		certPath, chainPath                 string
+		verifyAttestation                   bool
+	)
+
 	// TODO: Replace by retrieving key from rekor
 	const signingKeyEnvVarName = "CHAINLOOP_SIGNING_PUBLIC_KEY"
 
 	cmd := &cobra.Command{
 		Use:   "describe",
 		Short: "View a Workflow Run",
 		PreRunE: func(cmd *cobra.Command, args []string) error {
-			if verifyAttestation && publicKey == "" {
-				return errors.New("a public key needs to be provided for verification")
+			if verifyAttestation && publicKey == "" && certPath == "" {
+				return errors.New("a public key or certificate needs to be provided for verification")
 			}
 
 			if runID == "" && attestationDigest == "" {
@@ -59,7 +63,14 @@ func newWorkflowWorkflowRunDescribeCmd() *cobra.Command {
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
-			res, err := action.NewWorkflowRunDescribe(actionOpts).Run(context.Background(), runID, attestationDigest, verifyAttestation, publicKey)
+			res, err := action.NewWorkflowRunDescribe(actionOpts).Run(context.Background(), &action.WorkflowRunDescribeOpts{
+				RunID:         runID,
+				Digest:        attestationDigest,
+				PublicKeyRef:  publicKey,
+				CertPath:      certPath,
+				CertChainPath: chainPath,
+				Verify:        verifyAttestation,
+			})
 			if err != nil {
 				return err
 			}
@@ -78,6 +89,9 @@ func newWorkflowWorkflowRunDescribeCmd() *cobra.Command {
 		publicKey = os.Getenv(signingKeyEnvVarName)
 	}
 
+	cmd.Flags().StringVar(&certPath, "cert", "", "public certificate in PEM format to be used to verify the attestation")
+	cmd.Flags().StringVar(&chainPath, "cert-chain", "", "certificate chain (intermediates, root) in PEM format to be used to verify the attestation")
+
 	// Override default output flag
 	cmd.InheritedFlags().StringVarP(&flagOutputFormat, "output", "o", "table", "output format, valid options are table, json, attestation, statement or payload-pae")
 

app/cli/internal/action/testdata/ca.pub

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFnTCCA4WgAwIBAgIUErdOkmXh4B6wWuq3zdyoZwP4B2EwDQYJKoZIhvcNAQEL
+BQAwXjELMAkGA1UEBhMCRVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAoM
+CUNoYWlubG9vcDESMBAGA1UECwwJY2hhaW5sb29wMRIwEAYDVQQDDAljaGFpbmxv
+b3AwHhcNMjQwNTI4MjAwMjM4WhcNMjYwNTI4MjAwMjM4WjBeMQswCQYDVQQGEwJF
+UzETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UECgwJQ2hhaW5sb29wMRIwEAYD
+VQQLDAljaGFpbmxvb3AxEjAQBgNVBAMMCWNoYWlubG9vcDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAJy5/qNvpiJITXKwR/hoE7NWXhPLj9glLv5hqqUN
+ZHz5D1Mmj35B8JzMNe78lCFBhs4tf5xNSWj9AnDhIbYAW9edu6hA7YJUXVE3iJ7g
+vrQ5NTdeQqd8xxSjvtwBKVaQCKGEBHaqyZatB8IQ5kY4YLfqFWQ1U9IkU4QdZJQ2
+beBm1hSh6KUqOtlNMgumIIx0kWiHYHQ/KRVSKhoxKD+YQFTvfqrEvMxR23gkxPo+
+Z8exeG30Nzeido31WCdrWhWwthO9TuXEUk8XdqHUpKqS47AFIcLZBHCzxGB784K2
+go1ixzxt5gSfeco0nT9sJHGIOMhh50Eec0bnIUcH61iEDuAJY5pj0XcAvl39l9C0
+oIS7+5qOyqZk0LVwABi5CHYrnNKcj2BbOkplRqw1u1lvlfJQSQ29rQ3mWFXoQeQr
+sGhdJDMJkzNkMRXqReBuQxIREsmzjA5ZO2fSK/Mt+OugzO8exlVJ9d7ZA5P54tZr
+t8mqOM3ahFwEnRincvJBNYSnfZGYIp7h7lDuDdF2hJxI5aCSuzNrtA7ea6n/R3zj
+hmo5CmD+x/DOapYHW6c7DbFCyViOutQybiAL5E0ESBQVxfndXPbhT3725evLFpM8
+a5lp3Q1AHbaHwBNLt2ET+gQJl4Kv8+oSGgfTPMkcEXeehKq4UUSJImDpkdU9VSAm
+rV+lAgMBAAGjUzBRMB0GA1UdDgQWBBSg5OU3ZPHjjjH//hg8PuthzR+lyjAfBgNV
+HSMEGDAWgBSg5OU3ZPHjjjH//hg8PuthzR+lyjAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4ICAQBZ6IOom849XSPoSfJ4pH9kIgrAg77JF0iYXw+rvmoa
+tldzbXn8qPADn/IlfcARvnsDNymzQ1Ar+61vO0TIeuZhTKm06V4V46x/Xd4w6INZ
+F8Yug+VpoLjh4IiPo79yz4lHcFRPWVoIbQe2b2k93qnsuwUxX1z7YlKXnmSj/FpW
+jScy+ic/7YUB0TjZVN3Lm7LUcFMwlT3M04z5tQdDLHayQ5loRDOtA38tuuVexWiZ
+KvdyvYk3AWyhNVRTnNoKyuZzaltWbzD2/vysi6krmJqXoH6vCCu+8CsYMJA6AVu0
+Y4375UNNSOBDVhPFMRH+oQ0gCFRKN+hPIxh9rnrBJnM11nOVolwcY5T3B3692cl+
+jVvpTqPnzVng5XBXpWgAhN6c6nkgduyhnq4zQp01EcmxZMmIfQMJ/MNwWVRIem+8
+YZ4f+aT1PXr6X3Jt9VS9Fq4FTaCYrFhfHbeKIKQtqLneXJosI8xWlAAcRMrTXAVn
+kzLggDLeeSvDNz7X8jk63kbbVtISFdHBw65U4LgzCZR5kHXOlFjz59J9Bc6gChmh
+w2ljLt9QRMjSEuHRVltfT5ZCYWgSU9PJTuGhbGJUkDntY6pB6TjgmARSk796jvo0
+S12JKd+hkgznl/q5ZzwsNI8087KIswqeZBSunCZGCcQziU97x3hl2orBfldtVm9m
+sQ==
+-----END CERTIFICATE-----

app/cli/internal/action/testdata/cert-attestation.json

@@ -0,0 +1,10 @@
+{
+   "payloadType": "application/vnd.in-toto+json",
+   "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCAic3ViamVjdCI6W3sibmFtZSI6ImNoYWlubG9vcC53b3JrZmxvdy5teXdmIiwgImRpZ2VzdCI6eyJzaGEyNTYiOiI2YzhjNTFmOGM2YzEyMDM1YmEzYzg1OTdjOGE3ZjdjYTA1MDdlMDJiMjJlMjE5MjA3OTU1OTY2YmIwNGE3N2U1In19LCB7Im5hbWUiOiJnaXQuaGVhZCIsICJkaWdlc3QiOnsic2hhMSI6ImY5ZjI0OTNhNjQ3NDczYzBiZTBjODgxNGQzZDMyYjE3ZDYxNWZhMzgifSwgImFubm90YXRpb25zIjp7ImF1dGhvci5lbWFpbCI6ImppcGFyaXNAY2hhaW5sb29wLmRldiIsICJhdXRob3IubmFtZSI6Ikpvc2UgSS4gUGFyaXMiLCAiZGF0ZSI6IjIwMjQtMDYtMThUMTY6MTE6NThaIiwgIm1lc3NhZ2UiOiJkcmFmdCB2ZXJpZmllciB3aXRoIGNlcnRcblxuU2lnbmVkLW9mZi1ieTogSm9zZSBJLiBQYXJpcyA8amlwYXJpc0BjaGFpbmxvb3AuZGV2PlxuIiwgInJlbW90ZXMiOlt7Im5hbWUiOiJvcmlnaW4iLCAidXJsIjoiZ2l0QGdpdGh1Yi5jb206amlwYXJpcy9jaGFpbmxvb3AuZ2l0In0sIHsibmFtZSI6InVwc3RyZWFtIiwgInVybCI6ImdpdEBnaXRodWIuY29tOmNoYWlubG9vcC1kZXYvY2hhaW5sb29wLmdpdCJ9XX19XSwgInByZWRpY2F0ZVR5cGUiOiJjaGFpbmxvb3AuZGV2L2F0dGVzdGF0aW9uL3YwLjIiLCAicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6ImNoYWlubG9vcC5kZXYvd29ya2Zsb3dydW4vdjAuMSIsICJidWlsZGVyIjp7ImlkIjoiY2hhaW5sb29wLmRldi9jbGkvZGV2QHNoYTI1Njo5NGMxOWJjZDQ4ZjE2MDMyZTU1OTI5ZDdmMTVmMTU2ZWNiZGQxZjk5YThhYmIzMjI2NzFjY2FkOGEzMmI1YzVkIn0sICJtYXRlcmlhbHMiOlt7ImFubm90YXRpb25zIjp7ImNoYWlubG9vcC5tYXRlcmlhbC5jYXMuaW5saW5lIjp0cnVlLCAiY2hhaW5sb29wLm1hdGVyaWFsLm5hbWUiOiJtYXRlcmlhbC0xNzE4NzI4Njg5ODQzNDEzMDAwIiwgImNoYWlubG9vcC5tYXRlcmlhbC50eXBlIjoiQVJUSUZBQ1QifSwgImRpZ2VzdCI6eyJzaGEyNTYiOiJlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1In0sICJuYW1lIjoiZXZpZGVuY2UudHh0In1dLCAibWV0YWRhdGEiOnsiZmluaXNoZWRBdCI6IjIwMjQtMDYtMThUMTY6Mzg6NDguMDQzMzU5WiIsICJpbml0aWFsaXplZEF0IjoiMjAyNC0wNi0xOFQxNjozNzo1OC4yMDQ4NjJaIiwgIm5hbWUiOiJteXdmIiwgIm9yZ2FuaXphdGlvbiI6ImZvY3VzZWQtd3UtNTUxMiIsICJwcm9qZWN0IjoibXlwcm9qZWN0IiwgInRlYW0iOiIiLCAid29ya2Zsb3dJRCI6ImViN2I0NjMzLTk2ZTItNGVmZS1iMjNmLWY2NjdmM2Y3YWNkYyIsICJ3b3JrZmxvd1J1bklEIjoiMDBiNjlhMzAtYjExNy00YjM3LWI3ZGMtYmUxOGI5NmRhY2MwIn0sICJydW5uZXJUeXBlIjoiUlVOTkVSX1RZUEVfVU5TUEVDSUZJRUQifX0=",
+   "signatures": [
+      {
+         "keyid": "",
+         "sig": "MEUCIQDCk5jvXtdY8K0vrkvipUmuR68y8T736pvuBnrpQAT/JwIgBY4jo7XAzVkvb4jcX9q22KApM1KU6CMx4XL+TciRJuI="
+      }
+   ]
+}

app/cli/internal/action/testdata/cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAZ+gAwIBAgIUB/MxteHS8TrT8t3FMMXzr7a/1hMwDQYJKoZIhvcNAQEL
+BQAwXjELMAkGA1UEBhMCRVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAoM
+CUNoYWlubG9vcDESMBAGA1UECwwJY2hhaW5sb29wMRIwEAYDVQQDDAljaGFpbmxv
+b3AwHhcNMjQwNjE4MTYzODQ4WhcNMjQwNjE4MTY0ODQ4WjAvMS0wKwYDVQQKEyQ1
+ZTkwMTNjNy1hN2Y1LTRiNGQtOGM0Yi02NWZiMGE3OGRkMjUwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAASEWfjdnjQEikYN3lw+Lk/XPby1eQLxUdMrCKdtne4qJhL7
+uOEvYUo94eTV+SHlStkDG5xDFsrdhW3ywRlUhN8mo2cwZTAOBgNVHQ8BAf8EBAMC
+B4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFI2pKlr87YOANgRROdEj
+oKbI82t8MB8GA1UdIwQYMBaAFKDk5Tdk8eOOMf/+GDw+62HNH6XKMA0GCSqGSIb3
+DQEBCwUAA4ICAQBd9UnLEbmNSUMVSviiNgdgKl3vke6Ep3exRzhauhVrEy1ZTYqN
+pXDh2gKbPuOWtJqVbHqkYA9PN2M7N6o3+QDy7bDWPGs+HRMttB19hKOlyk2KJ5Yj
+VpNF7T+/muvlyeiCPv6fIsEMxSlf8QaH88bRcFReIMeRv585nMJFhsYv93yD7SnK
+wtddZOZ+9HdJJEQ+BzomkWUxSU9ITtUUZgeU2zLkSKkkgPFz05a2C7I4haCpURRn
+jVtv878XjsEfL5Qj1OrnBXoW6bKdEkqQnWEAFA5hIF0+kbgtM33U/2gpMRsBUyIc
+E/JAmTWtMEVnuhvxilh4d9L78+cMRNTH9RHV30CouY5SVSNtvzcmq8G2AIkJEM3N
+sTUPyL+Je29Eus9/1id9iLYgKLX1qOCFdDpzUKOdlBolRCh/Y75H+mw9PaCoR/aa
+pVtb9mMqg5SUc80XvmQAHIROxr4g1g3Pq7/ZyZLlFV/mAotGPEad2oAQ4po5luUy
+CZnBYquOGJMWMjJfhV6uZUNPiZCkxgJUdwssS3WZV6P+Dd89S3QcRG6ljTdnHJid
+4yVyt1YBowPjhktixHtz/1e/hAyWF79SPVO5I81CVamAJ0R/mpsf8IXjq4DsymQF
+JBdVbWQgu8Ru0eFXdoUrLp5CfQaVRA6qtxgb0vBmU2EGxWHiGLsNkHyxFg==
+-----END CERTIFICATE-----

app/cli/internal/action/testdata/cosign-attestation.json

@@ -0,0 +1,10 @@
+{
+   "payloadType": "application/vnd.in-toto+json",
+   "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCAic3ViamVjdCI6W3sibmFtZSI6ImNoYWlubG9vcC53b3JrZmxvdy5teXdmIiwgImRpZ2VzdCI6eyJzaGEyNTYiOiJiODE3MjZiMDJkNmVlM2IyZDZjZjRjYWFhNmQ5ODQ2NzQzZTg4MmE1NGY3NTk0ZjJlMWVjZmM3MTBjZmUzYTNjIn19LCB7Im5hbWUiOiJnaXQuaGVhZCIsICJkaWdlc3QiOnsic2hhMSI6ImY5ZjI0OTNhNjQ3NDczYzBiZTBjODgxNGQzZDMyYjE3ZDYxNWZhMzgifSwgImFubm90YXRpb25zIjp7ImF1dGhvci5lbWFpbCI6ImppcGFyaXNAY2hhaW5sb29wLmRldiIsICJhdXRob3IubmFtZSI6Ikpvc2UgSS4gUGFyaXMiLCAiZGF0ZSI6IjIwMjQtMDYtMThUMTY6MTE6NThaIiwgIm1lc3NhZ2UiOiJkcmFmdCB2ZXJpZmllciB3aXRoIGNlcnRcblxuU2lnbmVkLW9mZi1ieTogSm9zZSBJLiBQYXJpcyA8amlwYXJpc0BjaGFpbmxvb3AuZGV2PlxuIiwgInJlbW90ZXMiOlt7Im5hbWUiOiJvcmlnaW4iLCAidXJsIjoiZ2l0QGdpdGh1Yi5jb206amlwYXJpcy9jaGFpbmxvb3AuZ2l0In0sIHsibmFtZSI6InVwc3RyZWFtIiwgInVybCI6ImdpdEBnaXRodWIuY29tOmNoYWlubG9vcC1kZXYvY2hhaW5sb29wLmdpdCJ9XX19XSwgInByZWRpY2F0ZVR5cGUiOiJjaGFpbmxvb3AuZGV2L2F0dGVzdGF0aW9uL3YwLjIiLCAicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6ImNoYWlubG9vcC5kZXYvd29ya2Zsb3dydW4vdjAuMSIsICJidWlsZGVyIjp7ImlkIjoiY2hhaW5sb29wLmRldi9jbGkvZGV2QHNoYTI1Njo5NGMxOWJjZDQ4ZjE2MDMyZTU1OTI5ZDdmMTVmMTU2ZWNiZGQxZjk5YThhYmIzMjI2NzFjY2FkOGEzMmI1YzVkIn0sICJtYXRlcmlhbHMiOlt7ImFubm90YXRpb25zIjp7ImNoYWlubG9vcC5tYXRlcmlhbC5jYXMuaW5saW5lIjp0cnVlLCAiY2hhaW5sb29wLm1hdGVyaWFsLm5hbWUiOiJtYXRlcmlhbC0xNzE4NzI5Njk0NjgwNTAxMDAwIiwgImNoYWlubG9vcC5tYXRlcmlhbC50eXBlIjoiQVJUSUZBQ1QifSwgImRpZ2VzdCI6eyJzaGEyNTYiOiJlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1In0sICJuYW1lIjoiZXZpZGVuY2UudHh0In1dLCAibWV0YWRhdGEiOnsiZmluaXNoZWRBdCI6IjIwMjQtMDYtMThUMTY6NTU6MDYuMzMzNzY3WiIsICJpbml0aWFsaXplZEF0IjoiMjAyNC0wNi0xOFQxNjo1NDo0Ny4yMjI5NjFaIiwgIm5hbWUiOiJteXdmIiwgIm9yZ2FuaXphdGlvbiI6ImZvY3VzZWQtd3UtNTUxMiIsICJwcm9qZWN0IjoibXlwcm9qZWN0IiwgInRlYW0iOiIiLCAid29ya2Zsb3dJRCI6ImViN2I0NjMzLTk2ZTItNGVmZS1iMjNmLWY2NjdmM2Y3YWNkYyIsICJ3b3JrZmxvd1J1bklEIjoiOWZlYTUxNGYtY2MzZS00MzI5LWJiYzUtY2QxYWVmYjAzNTVjIn0sICJydW5uZXJUeXBlIjoiUlVOTkVSX1RZUEVfVU5TUEVDSUZJRUQifX0=",
+   "signatures": [
+      {
+         "keyid": "",
+         "sig": "MEUCIQDzR5618pisxhyD9/Yvac337wXM9X1Kw3hT80/vQhfpJgIgBUEFO0KyvJ6fwwmxORr4EvtI1T2qFxLYBZXELbQbSMo="
+      }
+   ]
+}

app/cli/internal/action/testdata/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEALrHMpLAMILsB75Gmh5M9d8zt/j
+xv5PdUZ/LKXzgsGfjjGE8yC2lGV1xZhroXvietg3qKbjJHqFsWf0FVWBhQ==
+-----END PUBLIC KEY-----

app/cli/internal/action/workflow_run_describe.go

@@ -16,14 +16,20 @@
 package action
 
 import (
+	"bytes"
 	"context"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"sort"
 
 	pb "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
 	"github.com/chainloop-dev/chainloop/internal/attestation/renderer/chainloop"
+	"github.com/sigstore/cosign/v2/pkg/blob"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	sigs "github.com/sigstore/cosign/v2/pkg/signature"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"github.com/sigstore/sigstore/pkg/signature"
 
 	intoto "github.com/in-toto/attestation/go/v1"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
@@ -81,14 +87,21 @@ func NewWorkflowRunDescribe(cfg *ActionsOpts) *WorkflowRunDescribe {
 	return &WorkflowRunDescribe{cfg}
 }
 
-func (action *WorkflowRunDescribe) Run(ctx context.Context, runID string, digest string, verify bool, publicKey string) (*WorkflowRunItemFull, error) {
+type WorkflowRunDescribeOpts struct {
+	RunID, Digest           string
+	Verify                  bool
+	PublicKeyRef            string
+	CertPath, CertChainPath string
+}
+
+func (action *WorkflowRunDescribe) Run(ctx context.Context, opts *WorkflowRunDescribeOpts) (*WorkflowRunItemFull, error) {
 	client := pb.NewWorkflowRunServiceClient(action.cfg.CPConnection)
 
 	req := &pb.WorkflowRunServiceViewRequest{}
-	if digest != "" {
-		req.Ref = &pb.WorkflowRunServiceViewRequest_Digest{Digest: digest}
-	} else if runID != "" {
-		req.Ref = &pb.WorkflowRunServiceViewRequest_Id{Id: runID}
+	if opts.Digest != "" {
+		req.Ref = &pb.WorkflowRunServiceViewRequest_Digest{Digest: opts.Digest}
+	} else if opts.RunID != "" {
+		req.Ref = &pb.WorkflowRunServiceViewRequest_Id{Id: opts.RunID}
 	}
 
 	resp, err := client.View(ctx, req)
@@ -119,8 +132,8 @@ func (action *WorkflowRunDescribe) Run(ctx context.Context, runID string, digest
 		return nil, err
 	}
 
-	if verify {
-		if err := verifyEnvelope(ctx, envelope, publicKey); err != nil {
+	if opts.Verify {
+		if err := verifyEnvelope(ctx, envelope, opts); err != nil {
 			action.cfg.Logger.Debug().Err(err).Msg("verifying the envelope")
 			return nil, errors.New("invalid signature, did you provide the right key?")
 		}
@@ -196,19 +209,59 @@ func materialPBToAction(in *pb.AttestationItem_Material) *Material {
 	return m
 }
 
-func verifyEnvelope(ctx context.Context, e *dsse.Envelope, publicKey string) error {
-	// Currently we only support basic cosign public key check
-	// TODO: Add more verification methods
-	verifier, err := sigs.PublicKeyFromKeyRef(ctx, publicKey)
-	if err != nil {
-		return err
+func verifyEnvelope(ctx context.Context, e *dsse.Envelope, opts *WorkflowRunDescribeOpts) error {
+	if opts.PublicKeyRef == "" && opts.CertPath == "" {
+		return fmt.Errorf("no public key or cert path specified")
+	}
+
+	var verifier signature.Verifier
+	var err error
+	if opts.PublicKeyRef != "" {
+		verifier, err = sigs.PublicKeyFromKeyRef(ctx, opts.PublicKeyRef)
+		if err != nil {
+			return fmt.Errorf("invalid public key: %w", err)
+		}
+	}
+
+	if opts.CertPath != "" {
+		// Load cert from PEM
+		certs, err := loadCertificates(opts.CertPath)
+		if err != nil {
+			return fmt.Errorf("loading certificate: %w", err)
+		}
+
+		var chain []*x509.Certificate
+		if opts.CertChainPath != "" {
+			chain, err = loadCertificates(opts.CertChainPath)
+			if err != nil {
+				return fmt.Errorf("loading certificate chain: %w", err)
+			}
+		}
+
+		verifier, err = cosign.ValidateAndUnpackCertWithChain(certs[0], chain, &cosign.CheckOpts{IgnoreSCT: true})
+		if err != nil {
+			return fmt.Errorf("validating the certificate: %w", err)
+		}
 	}
 
 	dsseVerifier, err := dsse.NewEnvelopeVerifier(&sigdsee.VerifierAdapter{SignatureVerifier: verifier})
 	if err != nil {
-		return err
+		return fmt.Errorf("creating DSSE verifier: %w", err)
 	}
 
 	_, err = dsseVerifier.Verify(ctx, e)
 	return err
 }
+
+func loadCertificates(certPath string) ([]*x509.Certificate, error) {
+	cert, err := blob.LoadFileOrURL(certPath)
+	if err != nil {
+		return nil, fmt.Errorf("loading certificate: %w", err)
+	}
+	certs, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(cert))
+	if err != nil {
+		return nil, fmt.Errorf("loading certificates: %w", err)
+	}
+
+	return certs, nil
+}

app/cli/internal/action/workflow_run_describe_test.go

@@ -0,0 +1,75 @@
+//
+// Copyright 2024 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package action
+
+import (
+	"context"
+	"encoding/json"
+	"os"
+	"testing"
+
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	"github.com/stretchr/testify/suite"
+)
+
+type WorkflowRunDescribeTestSuite struct {
+	suite.Suite
+}
+
+func TestWorkflowRunDescribe(t *testing.T) {
+	suite.Run(t, new(WorkflowRunDescribeTestSuite))
+}
+
+func (s *WorkflowRunDescribeTestSuite) SetupTest() {
+
+}
+
+func (s *WorkflowRunDescribeTestSuite) TestVerifyEnvelope() {
+	s.Run("fails if no key or cert is provided", func() {
+		err := verifyEnvelope(context.TODO(), nil, &WorkflowRunDescribeOpts{})
+		s.Error(err, "no public key or cert path specified")
+	})
+
+	s.Run("verifies when signed with cosign", func() {
+		envelope, err := readEnvelope("testdata/cosign-attestation.json")
+		s.Require().NoError(err)
+		err = verifyEnvelope(context.TODO(), envelope, &WorkflowRunDescribeOpts{PublicKeyRef: "testdata/cosign.pub"})
+		s.NoError(err)
+	})
+
+	s.Run("verifies when signed with certificate", func() {
+		envelope, err := readEnvelope("testdata/cert-attestation.json")
+		s.Require().NoError(err)
+		err = verifyEnvelope(context.TODO(), envelope, &WorkflowRunDescribeOpts{
+			CertPath:      "testdata/cert.pem",
+			CertChainPath: "testdata/ca.pub",
+		})
+		s.NoError(err)
+	})
+}
+
+func readEnvelope(path string) (*dsse.Envelope, error) {
+	f, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	var envelope dsse.Envelope
+	err = json.Unmarshal(f, &envelope)
+	if err != nil {
+		return nil, err
+	}
+	return &envelope, nil
+}