feat(verify): package verify command support (#4325)

Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>

Author: brandtkeller

site/src/content/docs/commands/zarf_package.md

@@ -42,4 +42,5 @@ Zarf package commands for creating, deploying, and inspecting packages
 * [zarf package pull](/commands/zarf_package_pull/)	 - Pulls a Zarf package from a remote registry and save to the local file system
 * [zarf package remove](/commands/zarf_package_remove/)	 - Removes a Zarf package that has been deployed already (runs offline)
 * [zarf package sign](/commands/zarf_package_sign/)	 - Signs an existing Zarf package
+* [zarf package verify](/commands/zarf_package_verify/)	 - Verify the signature and integrity of a Zarf package
 

site/src/content/docs/commands/zarf_package_verify.md

@@ -0,0 +1,58 @@
+---
+title: zarf package verify
+description: Zarf CLI command reference for <code>zarf package verify</code>.
+tableOfContents: false
+---
+
+<!-- Page generated by Zarf; DO NOT EDIT -->
+
+## zarf package verify
+
+Verify the signature and integrity of a Zarf package
+
+### Synopsis
+
+Verify the cryptographic signature (if signed) and checksum integrity of a Zarf package. Returns exit code 0 if valid, non-zero if verification fails.
+
+```
+zarf package verify PACKAGE_SOURCE [flags]
+```
+
+### Examples
+
+```
+
+# Verify a signed package
+$ zarf package verify zarf-package-demo-amd64-1.0.0.tar.zst --key ./public-key.pub
+
+# Verify an unsigned package (checksums only)
+$ zarf package verify zarf-package-demo-amd64-1.0.0.tar.zst
+
+```
+
+### Options
+
+```
+  -h, --help                  help for verify
+  -k, --key string            Public key for signature verification
+      --oci-concurrency int   Number of concurrent layer operations when pulling or pushing images or packages to/from OCI registries. (default 6)
+```
+
+### Options inherited from parent commands
+
+```
+  -a, --architecture string        Architecture for OCI images and Zarf packages
+      --features stringToString    [ALPHA] Provide a comma-separated list of feature names to bools to enable or disable. Ex. --features "foo=true,bar=false,baz=true" (default [])
+      --insecure-skip-tls-verify   Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture.
+      --log-format string          Select a logging format. Defaults to 'console'. Valid options are: 'console', 'json', 'dev'. (default "console")
+  -l, --log-level string           Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info")
+      --no-color                   Disable terminal color codes in logging and stdout prints.
+      --plain-http                 Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture.
+      --tmpdir string              Specify the temporary directory to use for intermediate files
+      --zarf-cache string          Specify the location of the Zarf cache directory (default "~/.zarf-cache")
+```
+
+### SEE ALSO
+
+* [zarf package](/commands/zarf_package/)	 - Zarf package commands for creating, deploying, and inspecting packages
+

src/cmd/package.go

@@ -61,6 +61,7 @@ func newPackageCommand() *cobra.Command {
 	cmd.AddCommand(newPackagePublishCommand(v))
 	cmd.AddCommand(newPackagePullCommand(v))
 	cmd.AddCommand(newPackageSignCommand(v))
+	cmd.AddCommand(newPackageVerifyCommand(v))
 
 	return cmd
 }
@@ -1730,6 +1731,99 @@ func (o *packageSignOptions) run(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
+type packageVerifyOptions struct {
+	publicKeyPath  string
+	ociConcurrency int
+}
+
+func newPackageVerifyCommand(v *viper.Viper) *cobra.Command {
+	o := &packageVerifyOptions{}
+
+	cmd := &cobra.Command{
+		Use:     "verify PACKAGE_SOURCE",
+		Aliases: []string{"v"},
+		Args:    cobra.ExactArgs(1),
+		Short:   lang.CmdPackageVerifyShort,
+		Long:    lang.CmdPackageVerifyLong,
+		Example: lang.CmdPackageVerifyExample,
+		RunE:    o.run,
+	}
+
+	cmd.Flags().StringVarP(&o.publicKeyPath, "key", "k", v.GetString(VPkgPublicKey), lang.CmdPackageVerifyFlagKey)
+	cmd.Flags().IntVar(&o.ociConcurrency, "oci-concurrency", v.GetInt(VPkgOCIConcurrency), lang.CmdPackageFlagConcurrency)
+
+	return cmd
+}
+
+func (o *packageVerifyOptions) run(cmd *cobra.Command, args []string) error {
+	ctx := cmd.Context()
+	l := logger.From(ctx)
+	packageSource := args[0]
+
+	l.Info("verifying package", "source", packageSource)
+
+	cachePath, err := getCachePath(ctx)
+	if err != nil {
+		return err
+	}
+
+	// Load the package (validates checksums automatically)
+	// Note: OCI signature validation does not require the whole package
+	loadOpts := packager.LoadOptions{
+		PublicKeyPath:           "",
+		SkipSignatureValidation: true,
+		Filter:                  filters.Empty(),
+		Architecture:            config.GetArch(),
+		OCIConcurrency:          o.ociConcurrency,
+		RemoteOptions:           defaultRemoteOptions(),
+		CachePath:               cachePath,
+		LayersSelector:          zoci.MetadataLayers,
+	}
+
+	pkgLayout, err := packager.LoadPackage(ctx, packageSource, loadOpts)
+	if err != nil {
+		return fmt.Errorf("package verification failed: %w", err)
+	}
+	defer func() {
+		if cleanupErr := pkgLayout.Cleanup(); cleanupErr != nil {
+			l.Warn("failed to cleanup package", "error", cleanupErr)
+		}
+	}()
+
+	// Checksum verification passed (we successfully loaded the package)
+	l.Info("checksum verification", "status", "PASSED")
+
+	isSigned := pkgLayout.IsSigned()
+
+	// Handle signature verification logic
+	if !isSigned && o.publicKeyPath != "" {
+		return errors.New("a key was provided but the package is not signed")
+	}
+
+	if isSigned && o.publicKeyPath == "" {
+		return errors.New("package is signed but no public key was provided (use --key)")
+	}
+
+	if !isSigned && o.publicKeyPath == "" {
+		l.Warn("package is unsigned", "signed", false)
+		l.Info("verification complete", "status", "SUCCESS")
+		return nil
+	}
+
+	// Package is signed and we have a key - verify using VerifyPackageSignature
+	verifyOpts := utils.DefaultVerifyBlobOptions()
+	verifyOpts.KeyRef = o.publicKeyPath
+
+	err = pkgLayout.VerifyPackageSignature(ctx, verifyOpts)
+	if err != nil {
+		return fmt.Errorf("signature verification failed: %w", err)
+	}
+
+	l.Info("signature verification", "status", "PASSED")
+	l.Info("verification complete", "status", "SUCCESS")
+	return nil
+}
+
 func choosePackage(ctx context.Context, args []string) (string, error) {
 	if len(args) > 0 {
 		return args[0], nil

src/config/lang/english.go

@@ -335,6 +335,17 @@ $ zarf package sign zarf-package-demo-amd64-1.0.0.tar.zst --signing-key awskms:/
 	CmdPackageSignFlagOverwrite      = "Overwrite an existing signature if the package is already signed"
 	CmdPackageSignFlagKey            = "Public key to verify the existing signature before re-signing (optional)"
 
+	CmdPackageVerifyShort   = "Verify the signature and integrity of a Zarf package"
+	CmdPackageVerifyLong    = "Verify the cryptographic signature (if signed) and checksum integrity of a Zarf package. Returns exit code 0 if valid, non-zero if verification fails."
+	CmdPackageVerifyExample = `
+# Verify a signed package
+$ zarf package verify zarf-package-demo-amd64-1.0.0.tar.zst --key ./public-key.pub
+
+# Verify an unsigned package (checksums only)
+$ zarf package verify zarf-package-demo-amd64-1.0.0.tar.zst
+`
+	CmdPackageVerifyFlagKey = "Public key for signature verification"
+
 	CmdPackagePullShort   = "Pulls a Zarf package from a remote registry and save to the local file system"
 	CmdPackagePullExample = `
 # Pull a package matching the current architecture

src/pkg/packager/layout/package.go

@@ -16,8 +16,6 @@ import (
 
 	"github.com/defenseunicorns/pkg/helpers/v2"
 	goyaml "github.com/goccy/go-yaml"
-	"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/v3/cmd/cosign/cli/verify"
 
 	"github.com/zarf-dev/zarf/src/api/v1alpha1"
 	"github.com/zarf-dev/zarf/src/config"
@@ -92,10 +90,17 @@ func LoadFromDir(ctx context.Context, dirPath string, opts PackageLayoutOptions)
 	if err != nil {
 		return nil, err
 	}
-	err = validatePackageSignature(ctx, pkgLayout, opts.PublicKeyPath, opts.SkipSignatureValidation)
-	if err != nil {
-		return nil, err
+
+	if pkgLayout.IsSigned() && !opts.SkipSignatureValidation {
+		verifyOptions := utils.DefaultVerifyBlobOptions()
+		verifyOptions.KeyRef = opts.PublicKeyPath
+
+		err = pkgLayout.VerifyPackageSignature(ctx, verifyOptions)
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	return pkgLayout, nil
 }
 
@@ -243,6 +248,41 @@ func (p *PackageLayout) SignPackage(ctx context.Context, opts utils.SignBlobOpti
 	return nil
 }
 
+// VerifyPackageSignature verifies the package signature
+func (p *PackageLayout) VerifyPackageSignature(ctx context.Context, opts utils.VerifyBlobOptions) error {
+	l := logger.From(ctx)
+	l.Debug("verifying package signature")
+
+	// Validate package layout state
+	if p.dirPath == "" {
+		return errors.New("invalid package layout: dirPath is empty")
+	}
+	if info, err := os.Stat(p.dirPath); err != nil {
+		return fmt.Errorf("invalid package layout directory: %w", err)
+	} else if !info.IsDir() {
+		return fmt.Errorf("invalid package layout: %s is not a directory", p.dirPath)
+	}
+
+	// Validate that we have a public key
+	// Note: this will later be replaced when verification enhancements are made
+	if opts.KeyRef == "" {
+		return errors.New("package is signed but no key was provided")
+	}
+
+	// Validate that the signature exists
+	signaturePath := filepath.Join(p.dirPath, Signature)
+	if _, err := os.Stat(signaturePath); err != nil {
+		return fmt.Errorf("signature not found: %w", err)
+	}
+
+	// Note: this is the backwards compatible behavior
+	// this will change in the future
+	opts.SigRef = signaturePath
+
+	ZarfYAMLPath := filepath.Join(p.dirPath, ZarfYAML)
+	return utils.CosignVerifyBlobWithOptions(ctx, ZarfYAMLPath, opts)
+}
+
 // IsSigned returns true if the package is signed.
 // It first checks the package metadata (Build.Signed), then falls back to
 // checking for the presence of a signature file for backward compatibility.
@@ -487,38 +527,3 @@ func validatePackageIntegrity(pkgLayout *PackageLayout, isPartial bool) error {
 
 	return nil
 }
-
-func validatePackageSignature(ctx context.Context, pkgLayout *PackageLayout, publicKeyPath string, skipSignatureValidation bool) error {
-	if skipSignatureValidation {
-		return nil
-	}
-
-	signaturePath := filepath.Join(pkgLayout.dirPath, Signature)
-	sigExist := true
-	_, err := os.Stat(signaturePath)
-	if err != nil {
-		sigExist = false
-	}
-	if !sigExist && publicKeyPath == "" {
-		// Nobody was expecting a signature, so we can just return
-		return nil
-	} else if sigExist && publicKeyPath == "" {
-		return errors.New("package is signed but no key was provided")
-	} else if !sigExist && publicKeyPath != "" {
-		return errors.New("a key was provided but the package is not signed")
-	}
-
-	keyOptions := options.KeyOpts{KeyRef: publicKeyPath}
-	cmd := &verify.VerifyBlobCmd{
-		KeyOpts:    keyOptions,
-		SigRef:     signaturePath,
-		IgnoreSCT:  true,
-		Offline:    true,
-		IgnoreTlog: true,
-	}
-	err = cmd.Exec(ctx, filepath.Join(pkgLayout.dirPath, ZarfYAML))
-	if err != nil {
-		return fmt.Errorf("package signature did not match the provided key: %w", err)
-	}
-	return nil
-}