up

scripts/attest/build-attestation-bundle.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# DEVOPS-ATTEST-74-002: package attestation outputs into an offline bundle with checksums.
+
+if [[ $# -lt 1 ]]; then
+  echo "Usage: $0 <attest-dir> [bundle-out]" >&2
+  exit 64
+fi
+
+ATTEST_DIR=$1
+BUNDLE_OUT=${2:-"out/attest-bundles"}
+
+if [[ ! -d "$ATTEST_DIR" ]]; then
+  echo "[attest-bundle] attestation directory not found: $ATTEST_DIR" >&2
+  exit 66
+fi
+
+mkdir -p "$BUNDLE_OUT"
+
+TS=$(date -u +"%Y%m%dT%H%M%SZ")
+BUNDLE_NAME="attestation-bundle-${TS}"
+WORK_DIR="${BUNDLE_OUT}/${BUNDLE_NAME}"
+mkdir -p "$WORK_DIR"
+
+copy_if_exists() {
+  local pattern="$1"
+  shopt -s nullglob
+  local files=("$ATTEST_DIR"/$pattern)
+  if (( ${#files[@]} > 0 )); then
+    cp "${files[@]}" "$WORK_DIR/"
+  fi
+  shopt -u nullglob
+}
+
+# Collect common attestation artefacts
+copy_if_exists "*.dsse.json"
+copy_if_exists "*.in-toto.jsonl"
+copy_if_exists "*.sarif"
+copy_if_exists "*.intoto.json"
+copy_if_exists "*.rekor.txt"
+copy_if_exists "*.sig"
+copy_if_exists "*.crt"
+copy_if_exists "*.pem"
+copy_if_exists "*.json"
+
+# Manifest
+cat > "${WORK_DIR}/manifest.json" <<EOF
+{
+  "created_at": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
+  "source_dir": "${ATTEST_DIR}",
+  "files": $(ls -1 "${WORK_DIR}" | jq -R . | jq -s .)
+}
+EOF
+
+# Checksums
+(
+  cd "$WORK_DIR"
+  sha256sum * > SHA256SUMS
+)
+
+tar -C "$BUNDLE_OUT" -czf "${WORK_DIR}.tgz" "${BUNDLE_NAME}"
+echo "[attest-bundle] bundle created at ${WORK_DIR}.tgz"