Verify the attested measurements of an enclave image with cosign.
export REPO=tinfoilsh/nitro-enclave-build-demo oras pull "ghcr.io/$REPO:v0.0.12"
DIGEST="sha256:$(sha256sum enclave.eif | cut -d ' ' -f 1)" curl -sL "https://api.github.com/repos/$REPO/attestations/$DIGEST" | jq -r ".attestations[0].bundle" > attestation.jsonl
cosign verify-blob-attestation \ --new-bundle-format \ --bundle attestation.jsonl \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ --certificate-identity-regexp="^https://github.com/$REPO/.github/workflows/release.yml.?" \ enclave.eif
jq -r ".dsseEnvelope.payload" attestation.jsonl | base64 -d | jq -r ".predicate"
