chore: verify SLSA token at creation

ianlewis · ianlewis · commit 8ecc37b63090 · 2025-03-19T05:08:11.000Z
Signed-off-by: Ian Lewis &lt;ian@ianlewis.org&gt;
diff --git a/actions/delegator/setup-generic/dist/index.js b/actions/delegator/setup-generic/dist/index.js
@@ -172,8 +172,7 @@ function run() {
             const bundle = yield (0, sigstore_1.sign)(Buffer.from(unsignedB64Token));
             // Verify just to double check.
             // NOTE: this is an offline verification.
-            // TODO(#1668): re-enable verification.
-            // await sigstore.verify(bundle, Buffer.from(unsignedB64Token));
+            yield (0, sigstore_1.verify)(bundle, Buffer.from(unsignedB64Token));
             const bundleStr = JSON.stringify(bundle);
             const bundleB64 = Buffer.from(bundleStr).toString("base64");
             core.info(`bundleStr: ${bundleStr}`);
diff --git a/actions/delegator/setup-generic/dist/index.js.map b/actions/delegator/setup-generic/dist/index.js.map
diff --git a/actions/delegator/setup-generic/src/main.ts b/actions/delegator/setup-generic/src/main.ts
@@ -14,7 +14,7 @@ limitations under the License.
 import * as github from "@actions/github";
 import * as core from "@actions/core";
 import * as process from "process";
-import { sign } from "sigstore";
+import { sign, verify } from "sigstore";
 import * as tscommon from "tscommon";
 
 async function run(): Promise<void> {
@@ -132,8 +132,7 @@ async function run(): Promise<void> {
 
     // Verify just to double check.
     // NOTE: this is an offline verification.
-    // TODO(#1668): re-enable verification.
-    // await sigstore.verify(bundle, Buffer.from(unsignedB64Token));
+    await verify(bundle, Buffer.from(unsignedB64Token));
     const bundleStr = JSON.stringify(bundle);
 
     const bundleB64 = Buffer.from(bundleStr).toString("base64");
