Output unsigned (#31)

Gives us the ability to output the unsigned attestation and sign it using other tooling.

Author: TomHennen

sourcetool/cmd/checklevel.go

@@ -17,8 +17,8 @@ import (
 )
 
 type CheckLevelArgs struct {
-	commit, owner, repo, branch, outputVsa string
-	minDays                                int
+	commit, owner, repo, branch, outputVsa, outputUnsignedVsa string
+	minDays                                                   int
 }
 
 // checklevelCmd represents the checklevel command
@@ -32,12 +32,12 @@ var (
 
 This is meant to be run within the corresponding GitHub Actions workflow.`,
 		Run: func(cmd *cobra.Command, args []string) {
-			doCheckLevel(checkLevelArgs.commit, checkLevelArgs.owner, checkLevelArgs.repo, checkLevelArgs.branch, checkLevelArgs.minDays, checkLevelArgs.outputVsa)
+			doCheckLevel(checkLevelArgs.commit, checkLevelArgs.owner, checkLevelArgs.repo, checkLevelArgs.branch, checkLevelArgs.minDays, checkLevelArgs.outputVsa, checkLevelArgs.outputUnsignedVsa)
 		},
 	}
 )
 
-func doCheckLevel(commit, owner, repo, branch string, minDays int, outputVsa string) {
+func doCheckLevel(commit, owner, repo, branch string, minDays int, outputVsa, outputUnsignedVsa string) {
 	if commit == "" || owner == "" || repo == "" || branch == "" {
 		log.Fatal("Must set commit, owner, repo, and branch flags.")
 	}
@@ -51,6 +51,17 @@ func doCheckLevel(commit, owner, repo, branch string, minDays int, outputVsa str
 	}
 	fmt.Print(sourceLevel)
 
+	if outputUnsignedVsa != "" {
+		unsignedVsa, err := vsa.CreateUnsignedSourceVsa(owner, repo, commit, sourceLevel)
+		if err != nil {
+			log.Fatal(err)
+		}
+		err = os.WriteFile(outputUnsignedVsa, []byte(unsignedVsa), 0644)
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+
 	if outputVsa != "" {
 		// This will output in the sigstore bundle format.
 		signedVsa, err := vsa.CreateSignedSourceVsa(owner, repo, commit, sourceLevel)
@@ -75,4 +86,5 @@ func init() {
 	checklevelCmd.Flags().StringVar(&checkLevelArgs.branch, "branch", "", "The branch within the repository - required.")
 	checklevelCmd.Flags().IntVar(&checkLevelArgs.minDays, "min_days", 1, "The minimum duration that the rules need to have been enabled for.")
 	checklevelCmd.Flags().StringVar(&checkLevelArgs.outputVsa, "output_vsa", "", "The path to write a signed VSA with the determined level.")
+	checklevelCmd.Flags().StringVar(&checkLevelArgs.outputUnsignedVsa, "output_unsigned_vsa", "", "The path to write an unsigned vsa with the determined level.")
 }

sourcetool/pkg/vsa/vsa.go

@@ -17,7 +17,7 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
-func createUnsignedSourceVsa(owner string, repo string, commit string, sourceLevel string) (string, error) {
+func CreateUnsignedSourceVsa(owner string, repo string, commit string, sourceLevel string) (string, error) {
 	resourceUri := fmt.Sprintf("git+https://github.com/%s/%s", owner, repo)
 	vsaPred := &vpb.VerificationSummary{
 		Verifier: &vpb.VerificationSummary_Verifier{
@@ -106,7 +106,7 @@ func getSigningOpts(oidcToken string) (sign.BundleOptions, error) {
 // NOTE: This is experimental, and definitely not done.  There's no way for folks to verify
 // what this produces.
 func CreateSignedSourceVsa(owner string, repo string, commit string, sourceLevel string) (string, error) {
-	unsignedVsa, err := createUnsignedSourceVsa(owner, repo, commit, sourceLevel)
+	unsignedVsa, err := CreateUnsignedSourceVsa(owner, repo, commit, sourceLevel)
 	if err != nil {
 		return "", err
 	}