part #2

src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/SnapshotManifestSigner.Verify.cs

@@ -0,0 +1,57 @@
+using System.Text.Json;
+
+namespace StellaOps.AirGap.Bundle.Services;
+
+public sealed partial class SnapshotManifestSigner
+{
+    /// <summary>
+    /// Verifies a DSSE envelope signature.
+    /// </summary>
+    public async Task<ManifestVerificationResult> VerifyAsync(
+        ManifestVerificationRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+        ArgumentNullException.ThrowIfNull(request.EnvelopeBytes);
+
+        try
+        {
+            using var envelope = JsonDocument.Parse(request.EnvelopeBytes);
+            var root = envelope.RootElement;
+
+            if (!TryReadEnvelope(root, out var parts, out var error))
+            {
+                return new ManifestVerificationResult
+                {
+                    Success = false,
+                    Error = error
+                };
+            }
+
+            var payloadDigest = ComputeSha256(parts.PayloadBytes);
+            var verifiedSignatures = await VerifySignaturesAsync(
+                    parts.SignaturesElement,
+                    request.PublicKey,
+                    parts.PaeBytes,
+                    cancellationToken)
+                .ConfigureAwait(false);
+
+            return new ManifestVerificationResult
+            {
+                Success = true,
+                PayloadDigest = payloadDigest,
+                SignatureCount = parts.SignatureCount,
+                VerifiedSignatures = verifiedSignatures,
+                PayloadType = parts.PayloadType
+            };
+        }
+        catch (JsonException ex)
+        {
+            return new ManifestVerificationResult
+            {
+                Success = false,
+                Error = $"Failed to parse envelope: {ex.Message}"
+            };
+        }
+    }
+}