From 22efb53dcbe98a8ff14d7deff973edceec17ca6e Mon Sep 17 00:00:00 2001
From: RJ Trujillo <eyecantcu@pm.me>
Date: Mon, 18 Dec 2023 18:07:43 -0700
Subject: [PATCH] feat(verify): Support verification against certificates

---
 verify/action.yml | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/verify/action.yml b/verify/action.yml
index cdadc27..a79c3db 100644
--- a/verify/action.yml
+++ b/verify/action.yml
@@ -2,12 +2,18 @@ name: 'Cosign Action - Verify'
 author: 'EyeCantCU'
 description: 'Verifies target container'
 inputs:
+  cert-identity:
+    description: 'The identity certificate'
+    required: false
   container:
     description: 'Path to target container to verify'
     required: true
   pubkey:
     description: 'Public key used by target container'
-    required: true
+    required: false
+  oidc-issuer:
+    description: 'The certificate OIDC issuer'
+    required: false
 runs:
   using: "composite"
   steps:
@@ -23,6 +29,13 @@ runs:
 
     - name: Verify container
       shell: bash
-      run: cosign verify --key ${{ inputs.pubkey }} ${{ steps.container_case.outputs.lowercase }}
+      run: |
+        if [[ -n "${{ inputs.pubkey }}" ]]; then
+          cosign verify --key ${{ inputs.pubkey }} ${{ steps.container_case.outputs.lowercase }}
+        elif [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then
+          cosign verify ${{ inputs.container }} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }}
+        else
+          exit 1
+        fi
       env:
         COSIGN_EXPERIMENTAL: false