Fixing CA Path Flag to be used and adding policy timestamp server flag

cmd/verify.go

@@ -17,6 +17,7 @@ package cmd
 import (
 	"context"
 	"crypto"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"os"
@@ -26,6 +27,7 @@ import (
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/go-witness/source"
+	"github.com/in-toto/go-witness/timestamp"
 	archivista_client "github.com/in-toto/witness/internal/archivista"
 	"github.com/in-toto/witness/internal/policy"
 	"github.com/in-toto/witness/options"
@@ -46,6 +48,10 @@ func VerifyCmd() *cobra.Command {
 		SilenceUsage:      true,
 		DisableAutoGenTag: true,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if cmd.Flags().Lookup("policy-ca").Changed {
+				log.Warn("The flag `--policy-ca` is deprecated and will be removed in a future release. Please use `--policy-ca-root` and `--policy-ca-intermediate` instead.")
+			}
+
 			verifiers, err := loadVerifiers(cmd.Context(), vo.VerifierOptions, vo.KMSVerifierProviderOptions, providersFromFlags("verifier", cmd.Flags()))
 			if err != nil {
 				return fmt.Errorf("failed to load signer: %w", err)
@@ -76,7 +82,7 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
 		collectionSource = source.NewMultiSource(collectionSource, source.NewArchvistSource(archivistaClient))
 	}
 
-	if vo.KeyPath == "" && len(vo.CAPaths) == 0 && len(verifiers) == 0 {
+	if vo.KeyPath == "" && len(vo.PolicyCARootPaths) == 0 && len(verifiers) == 0 {
 		return fmt.Errorf("must supply either a public key, CA certificates or a verifier")
 	}
 
@@ -99,6 +105,57 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
 		verifiers = append(verifiers, v)
 	}
 
+	var policyRoots []*x509.Certificate
+	if len(vo.PolicyCARootPaths) > 0 {
+		for _, caPath := range vo.PolicyCARootPaths {
+			caFile, err := os.ReadFile(caPath)
+			if err != nil {
+				return fmt.Errorf("failed to read root CA certificate file: %w", err)
+			}
+
+			cert, err := cryptoutil.TryParseCertificate(caFile)
+			if err != nil {
+				return fmt.Errorf("failed to parse root CA certificate: %w", err)
+			}
+
+			policyRoots = append(policyRoots, cert)
+		}
+	}
+
+	var policyIntermediates []*x509.Certificate
+	if len(vo.PolicyCAIntermediatePaths) > 0 {
+		for _, caPath := range vo.PolicyCAIntermediatePaths {
+			caFile, err := os.ReadFile(caPath)
+			if err != nil {
+				return fmt.Errorf("failed to read intermediate CA certificate file: %w", err)
+			}
+
+			cert, err := cryptoutil.TryParseCertificate(caFile)
+			if err != nil {
+				return fmt.Errorf("failed to parse intermediate CA certificate: %w", err)
+			}
+
+			policyRoots = append(policyIntermediates, cert)
+		}
+	}
+
+	ptsVerifiers := make([]timestamp.TimestampVerifier, 0)
+	if len(vo.PolicyTimestampServers) > 0 {
+		for _, server := range vo.PolicyTimestampServers {
+			f, err := os.ReadFile(server)
+			if err != nil {
+				return fmt.Errorf("failed to open Timestamp Server CA certificate file: %w", err)
+			}
+
+			cert, err := cryptoutil.TryParseCertificate(f)
+			if err != nil {
+				return fmt.Errorf("failed to parse Timestamp Server CA certificate: %w", err)
+			}
+
+			ptsVerifiers = append(ptsVerifiers, timestamp.NewVerifier(timestamp.VerifyWithCerts([]*x509.Certificate{cert})))
+		}
+	}
+
 	policyEnvelope, err := policy.LoadPolicy(ctx, vo.PolicyFilePath, archivista_client.NewArchivistaClient(vo.ArchivistaOptions.Url, archivistaClient))
 	if err != nil {
 		return fmt.Errorf("failed to open policy file: %w", err)
@@ -134,6 +191,11 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
 		verifiers,
 		witness.VerifyWithSubjectDigests(subjects),
 		witness.VerifyWithCollectionSource(collectionSource),
+		witness.VerifyWithPolicyTimestampAuthorities(ptsVerifiers),
+		witness.VerifyWithPolicyCARoots(policyRoots),
+		witness.VerifyWithPolicyCAIntermediates(policyIntermediates),
+		witness.VerifyWithPolicyCertConstraints(vo.PolicyCommonName, vo.PolicyDNSNames, vo.PolicyEmails, vo.PolicyOrganizations, vo.PolicyURIs),
+		witness.VerifyWithPolicyFulcioCertExtensions(vo.PolicyFulcioCertExtensions),
 	)
 	if err != nil {
 		if verifiedEvidence.StepResults != nil {

cmd/verify_test.go

@@ -40,6 +40,69 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+func TestVerifyPolicyWithFulcio(t *testing.T) {
+	workingDir := t.TempDir()
+	cwd, err := os.Getwd()
+	if err != nil {
+		panic(err)
+	}
+
+	err = os.WriteFile(filepath.Join(workingDir, "fulcio.pem"), []byte(fulciopem), 0644)
+	if err != nil {
+		panic(err)
+	}
+
+	err = os.WriteFile(filepath.Join(workingDir, "freetsa.pem"), []byte(freetsapem), 0644)
+	if err != nil {
+		panic(err)
+	}
+
+	vo := options.VerifyOptions{
+		PolicyFilePath:         filepath.Join(cwd, "../test/fulcio-policy-signed.json"),
+		PolicyTimestampServers: []string{filepath.Join(workingDir, "freetsa.pem")},
+		PolicyCARootPaths:      []string{filepath.Join(workingDir, "fulcio.pem")},
+		AttestationFilePaths:   []string{filepath.Join(cwd, "../test/test.json")},
+		ArtifactFilePath:       filepath.Join(cwd, "../test/test.txt"),
+		PolicyCommonName:       "*",
+		PolicyURIs:             []string{"*"},
+		PolicyDNSNames:         []string{"*"},
+		PolicyEmails:           []string{"*"},
+		PolicyOrganizations:    []string{"*"},
+	}
+
+	require.NoError(t, runVerify(context.Background(), vo))
+}
+
+// Same test but deliberately missing the CA file path for verifying the policy
+func TestVerifyPolicyWrongCAFile(t *testing.T) {
+	workingDir := t.TempDir()
+	cwd, err := os.Getwd()
+	if err != nil {
+		panic(err)
+	}
+
+	// we're going to write the wrong CA file here to ensure that it fails
+	err = os.WriteFile(filepath.Join(workingDir, "badca.pem"), []byte(freetsapem), 0644)
+	if err != nil {
+		panic(err)
+	}
+
+	err = os.WriteFile(filepath.Join(workingDir, "freetsa.pem"), []byte(freetsapem), 0644)
+	if err != nil {
+		panic(err)
+	}
+
+	vo := options.VerifyOptions{
+		PolicyFilePath:         filepath.Join(cwd, "../test/fulcio-policy-signed.json"),
+		PolicyTimestampServers: []string{filepath.Join(workingDir, "freetsa.pem")},
+		PolicyCARootPaths:      []string{filepath.Join(workingDir, "badca.pem")},
+		AttestationFilePaths:   []string{filepath.Join(cwd, "../test/test.json")},
+		ArtifactFilePath:       filepath.Join(cwd, "../test/test.txt"),
+	}
+
+	require.ErrorContains(t, runVerify(context.Background(), vo), "failed to verify policy: attestors failed with error messages\nfailed to verify policy signature: could not verify policy: no valid signatures for the provided verifiers found for keyids:\n")
+}
+
 func TestRunVerifyCA(t *testing.T) {
 	ca, intermediates, leafcert, leafkey := fullChain(t)
 
@@ -355,3 +418,65 @@ func createTestRSAKey() (cryptoutil.Signer, cryptoutil.Verifier, []byte, []byte,
 
 	return signer, verifier, pemBytes, privKeyBytes, nil
 }
+
+const (
+	fulciopem = `-----BEGIN CERTIFICATE-----
+MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw
+KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
+MTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl
+LmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7
+XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex
+X69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j
+YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY
+wB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ
+KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM
+WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9
+TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
+-----END CERTIFICATE-----
+`
+	freetsapem = `-----BEGIN CERTIFICATE-----
+MIIH/zCCBeegAwIBAgIJAMHphhYNqOmAMA0GCSqGSIb3DQEBDQUAMIGVMREwDwYD
+VQQKEwhGcmVlIFRTQTEQMA4GA1UECxMHUm9vdCBDQTEYMBYGA1UEAxMPd3d3LmZy
+ZWV0c2Eub3JnMSIwIAYJKoZIhvcNAQkBFhNidXNpbGV6YXNAZ21haWwuY29tMRIw
+EAYDVQQHEwlXdWVyemJ1cmcxDzANBgNVBAgTBkJheWVybjELMAkGA1UEBhMCREUw
+HhcNMTYwMzEzMDE1MjEzWhcNNDEwMzA3MDE1MjEzWjCBlTERMA8GA1UEChMIRnJl
+ZSBUU0ExEDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMTD3d3dy5mcmVldHNhLm9y
+ZzEiMCAGCSqGSIb3DQEJARYTYnVzaWxlemFzQGdtYWlsLmNvbTESMBAGA1UEBxMJ
+V3VlcnpidXJnMQ8wDQYDVQQIEwZCYXllcm4xCzAJBgNVBAYTAkRFMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtgKODjAy8REQ2WTNqUudAnjhlCrpE6ql
+mQfNppeTmVvZrH4zutn+NwTaHAGpjSGv4/WRpZ1wZ3BRZ5mPUBZyLgq0YrIfQ5Fx
+0s/MRZPzc1r3lKWrMR9sAQx4mN4z11xFEO529L0dFJjPF9MD8Gpd2feWzGyptlel
+b+PqT+++fOa2oY0+NaMM7l/xcNHPOaMz0/2olk0i22hbKeVhvokPCqhFhzsuhKsm
+q4Of/o+t6dI7sx5h0nPMm4gGSRhfq+z6BTRgCrqQG2FOLoVFgt6iIm/BnNffUr7V
+DYd3zZmIwFOj/H3DKHoGik/xK3E82YA2ZulVOFRW/zj4ApjPa5OFbpIkd0pmzxzd
+EcL479hSA9dFiyVmSxPtY5ze1P+BE9bMU1PScpRzw8MHFXxyKqW13Qv7LWw4sbk3
+SciB7GACbQiVGzgkvXG6y85HOuvWNvC5GLSiyP9GlPB0V68tbxz4JVTRdw/Xn/XT
+FNzRBM3cq8lBOAVt/PAX5+uFcv1S9wFE8YjaBfWCP1jdBil+c4e+0tdywT2oJmYB
+BF/kEt1wmGwMmHunNEuQNzh1FtJY54hbUfiWi38mASE7xMtMhfj/C4SvapiDN837
+gYaPfs8x3KZxbX7C3YAsFnJinlwAUss1fdKar8Q/YVs7H/nU4c4Ixxxz4f67fcVq
+M2ITKentbCMCAwEAAaOCAk4wggJKMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQD
+AgHGMB0GA1UdDgQWBBT6VQ2MNGZRQ0z357OnbJWveuaklzCBygYDVR0jBIHCMIG/
+gBT6VQ2MNGZRQ0z357OnbJWveuakl6GBm6SBmDCBlTERMA8GA1UEChMIRnJlZSBU
+U0ExEDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMTD3d3dy5mcmVldHNhLm9yZzEi
+MCAGCSqGSIb3DQEJARYTYnVzaWxlemFzQGdtYWlsLmNvbTESMBAGA1UEBxMJV3Vl
+cnpidXJnMQ8wDQYDVQQIEwZCYXllcm4xCzAJBgNVBAYTAkRFggkAwemGFg2o6YAw
+MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL3d3dy5mcmVldHNhLm9yZy9yb290X2Nh
+LmNybDCBzwYDVR0gBIHHMIHEMIHBBgorBgEEAYHyJAEBMIGyMDMGCCsGAQUFBwIB
+FidodHRwOi8vd3d3LmZyZWV0c2Eub3JnL2ZyZWV0c2FfY3BzLmh0bWwwMgYIKwYB
+BQUHAgEWJmh0dHA6Ly93d3cuZnJlZXRzYS5vcmcvZnJlZXRzYV9jcHMucGRmMEcG
+CCsGAQUFBwICMDsaOUZyZWVUU0EgdHJ1c3RlZCB0aW1lc3RhbXBpbmcgU29mdHdh
+cmUgYXMgYSBTZXJ2aWNlIChTYWFTKTA3BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUH
+MAGGG2h0dHA6Ly93d3cuZnJlZXRzYS5vcmc6MjU2MDANBgkqhkiG9w0BAQ0FAAOC
+AgEAaK9+v5OFYu9M6ztYC+L69sw1omdyli89lZAfpWMMh9CRmJhM6KBqM/ipwoLt
+nxyxGsbCPhcQjuTvzm+ylN6VwTMmIlVyVSLKYZcdSjt/eCUN+41K7sD7GVmxZBAF
+ILnBDmTGJmLkrU0KuuIpj8lI/E6Z6NnmuP2+RAQSHsfBQi6sssnXMo4HOW5gtPO7
+gDrUpVXID++1P4XndkoKn7Svw5n0zS9fv1hxBcYIHPPQUze2u30bAQt0n0iIyRLz
+aWuhtpAtd7ffwEbASgzB7E+NGF4tpV37e8KiA2xiGSRqT5ndu28fgpOY87gD3ArZ
+DctZvvTCfHdAS5kEO3gnGGeZEVLDmfEsv8TGJa3AljVa5E40IQDsUXpQLi8G+UC4
+1DWZu8EVT4rnYaCw1VX7ShOR1PNCCvjb8S8tfdudd9zhU3gEB0rxdeTy1tVbNLXW
+99y90xcwr1ZIDUwM/xQ/noO8FRhm0LoPC73Ef+J4ZBdrvWwauF3zJe33d4ibxEcb
+8/pz5WzFkeixYM2nsHhqHsBKw7JPouKNXRnl5IAE1eFmqDyC7G/VT7OF669xM6hb
+Ut5G21JE4cNK6NNucS+fzg1JPX0+3VhsYZjj7D5uljRvQXrJ8iHgr/M6j2oLHvTA
+I2MLdq2qjZFDOCXsxBxJpbmLGBx9ow6ZerlUxzws2AWv2pk=
+-----END CERTIFICATE-----`
+)

docs/commands.md

@@ -170,24 +170,38 @@ witness verify [flags]
 ### Options
 
 ```
-      --archivista-server string                   URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io")
-  -f, --artifactfile string                        Path to the artifact to verify
-  -a, --attestations strings                       Attestation files to test against the policy
-      --enable-archivista                          Use Archivista to store or retrieve attestations
-  -h, --help                                       help for verify
-  -p, --policy string                              Path to the policy to verify
-      --policy-ca strings                          Paths to CA certificates to use for verifying the policy
-  -k, --publickey string                           Path to the policy signer's public key
-  -s, --subjects strings                           Additional subjects to lookup attestations
-      --verifier-kms-aws-config-file string        The shared configuration file to use with the AWS KMS signer provider
-      --verifier-kms-aws-credentials-file string   The shared credentials file to use with the AWS KMS signer provider
-      --verifier-kms-aws-insecure-skip-verify      Skip verification of the server's certificate chain and host name
-      --verifier-kms-aws-profile string            The shared configuration profile to use with the AWS KMS signer provider
-      --verifier-kms-aws-remote-verify             verify signature using AWS KMS remote verification. If false, the public key will be pulled from AWS KMS and verification will take place locally (default true)
-      --verifier-kms-gcp-credentials-file string   The credentials file to use with the GCP KMS signer provider
-      --verifier-kms-hashType string               The hash type used for verifying (default "sha256")
-      --verifier-kms-keyVersion string             The key version to use for signing
-      --verifier-kms-ref string                    The KMS Reference URI to use for connecting to the KMS service
+      --archivista-server string                            URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io")
+  -f, --artifactfile string                                 Path to the artifact to verify
+  -a, --attestations strings                                Attestation files to test against the policy
+      --enable-archivista                                   Use Archivista to store or retrieve attestations
+  -h, --help                                                help for verify
+  -p, --policy string                                       Path to the policy to verify
+      --policy-ca strings                                   Paths to CA certificates to use for verifying the policy (deprecated: use --policy-ca-roots instead)
+      --policy-ca-intermediates strings                     Paths to CA intermediate certificates to use for verifying a policy signed with x.509
+      --policy-ca-roots strings                             Paths to CA root certificates to use for verifying a policy signed with x.509
+      --policy-commonname string                            The common name to use when verifying a policy signed with x.509 (default "*")
+      --policy-dns-names strings                            The DNS names to use when verifying a policy signed with x.509 (default [*])
+      --policy-emails strings                               The DNS names to use when verifying a policy signed with x.509 (default [*])
+      --policy-fulcio-build-trigger string                  Event or action that initiated the build.
+      --policy-fulcio-oidc-issuer string                    The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows.
+      --policy-fulcio-run-invocation-uri string             Run Invocation URL to uniquely identify the build execution.
+      --policy-fulcio-source-repository-digest string       Immutable reference to a specific version of the source code that the build was based upon.
+      --policy-fulcio-source-repository-identifier string   Immutable identifier for the source repository the workflow was based upon.
+      --policy-fulcio-source-repository-ref string          Source Repository Ref that the build run was based upon.
+      --policy-organizations strings                        The organizations to use when verifying a policy signed with x.509 (default [*])
+      --policy-timestamp-servers strings                    Paths to the CA certificates for Timestamp Authority Servers to use when verifying policy signed with x.509
+      --policy-uris strings                                 The URIs to use when verifying a policy signed with x.509 (default [*])
+  -k, --publickey string                                    Path to the policy signer's public key
+  -s, --subjects strings                                    Additional subjects to lookup attestations
+      --verifier-kms-aws-config-file string                 The shared configuration file to use with the AWS KMS signer provider
+      --verifier-kms-aws-credentials-file string            The shared credentials file to use with the AWS KMS signer provider
+      --verifier-kms-aws-insecure-skip-verify               Skip verification of the server's certificate chain and host name
+      --verifier-kms-aws-profile string                     The shared configuration profile to use with the AWS KMS signer provider
+      --verifier-kms-aws-remote-verify                      verify signature using AWS KMS remote verification. If false, the public key will be pulled from AWS KMS and verification will take place locally (default true)
+      --verifier-kms-gcp-credentials-file string            The credentials file to use with the GCP KMS signer provider
+      --verifier-kms-hashType string                        The hash type used for verifying (default "sha256")
+      --verifier-kms-keyVersion string                      The key version to use for signing
+      --verifier-kms-ref string                             The KMS Reference URI to use for connecting to the KMS service
 ```
 
 ### Options inherited from parent commands

go.mod

@@ -5,8 +5,9 @@ go 1.22.0
 toolchain go1.22.2
 
 require (
-	github.com/in-toto/go-witness v0.3.2-0.20240510181827-f346f85d8c53
+	github.com/in-toto/go-witness v0.3.2-0.20240514141512-777497a51359
 	github.com/olekukonko/tablewriter v0.0.5
+	github.com/sigstore/fulcio v1.4.5
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
@@ -40,18 +41,18 @@ require (
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aws/aws-sdk-go v1.50.38 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.13 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.13 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.31.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.31.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.7 // indirect
 	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -89,7 +90,7 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-3 // indirect
 	github.com/in-toto/archivista v0.4.0 // indirect
-	github.com/in-toto/attestation v1.0.1 // indirect
+	github.com/in-toto/attestation v1.0.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/invopop/jsonschema v0.12.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
@@ -120,7 +121,6 @@ require (
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
-	github.com/sigstore/fulcio v1.4.5 // indirect
 	github.com/sigstore/sigstore v1.8.3 // indirect
 	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
@@ -159,7 +159,7 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect
 	google.golang.org/grpc v1.63.2 // indirect
-	google.golang.org/protobuf v1.34.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect