AB#2159 Feat/cli/fetch measurements (#301)

Signed-off-by: Fabian Kammel <fk@edgeless.systems>

internal/sigstore/verify.go

@@ -0,0 +1,38 @@
+package sigstore
+
+import (
+	"bytes"
+	"crypto"
+	"encoding/base64"
+	"fmt"
+
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	sigsig "github.com/sigstore/sigstore/pkg/signature"
+)
+
+// VerifySignature checks if the signature of content can be verified
+// using publicKey.
+// signature is expected to be base64 encoded.
+// publicKey is expected to be PEM encoded.
+func VerifySignature(content, signature, publicKey []byte) error {
+	sigRaw := base64.NewDecoder(base64.StdEncoding, bytes.NewReader(signature))
+
+	pubKeyRaw, err := cryptoutils.UnmarshalPEMToPublicKey(publicKey)
+	if err != nil {
+		return fmt.Errorf("unable to parse public key: %w", err)
+	}
+	if err := cryptoutils.ValidatePubKey(pubKeyRaw); err != nil {
+		return fmt.Errorf("unable to validate public key: %w", err)
+	}
+
+	verifier, err := sigsig.LoadVerifier(pubKeyRaw, crypto.SHA256)
+	if err != nil {
+		return fmt.Errorf("unable to load verifier: %w", err)
+	}
+
+	if err := verifier.VerifySignature(sigRaw, bytes.NewReader(content)); err != nil {
+		return fmt.Errorf("unable to verify signature: %w", err)
+	}
+
+	return nil
+}