@@ -424,7 +424,23 @@ cmd_verify() {
424424 if [ -n " $ORCH_ATTESTATION " ; then
425425 ORCH_ATTEST_OK=false
426426 ORCH_EVIDENCE_FILE=$( mktemp /tmp/orch_attestation_XXXXXX.json)
427+ # Support two formats:
428+ # 1. base64+gzip (old tee-proxy standalone mode)
429+ # 2. raw JSON from tee-proxy --attestation-url mode (attestation-service sidecar)
430+ # In this case the header value is {"platform":..., "evidence":{...}};
431+ # attestation-cli verify expects the evidence sub-object.
432+ ORCH_DECODED=false
427433 if echo " $ORCH_ATTESTATION " | base64 -d 2> /dev/null | gunzip > " $ORCH_EVIDENCE_FILE " 2> /dev/null; then
434+ ORCH_DECODED=true
435+ elif echo " $ORCH_ATTESTATION " | jq -e . & > /dev/null 2>&1 ; then
436+ # Raw JSON: extract .evidence if present, else use as-is
437+ ORCH_EVIDENCE=$( echo " $ORCH_ATTESTATION " | jq -r ' if has("evidence") then .evidence else . end' 2> /dev/null)
438+ if [ -n " $ORCH_EVIDENCE " && echo " $ORCH_EVIDENCE " | jq -e . & > /dev/null 2>&1 ; then
439+ echo " $ORCH_EVIDENCE " > " $ORCH_EVIDENCE_FILE "
440+ ORCH_DECODED=true
441+ fi
442+ fi
443+ if [ " $ORCH_DECODED " = " true" ; then
428444 if [ -n " $ATTESTATION_CLI " ; then
429445 ORCH_VERIFY_RESULT=$( $ATTESTATION_CLI verify -e " $ORCH_EVIDENCE_FILE " 2> /dev/null) || true
430446 if [ -n " $ORCH_VERIFY_RESULT " && echo " $ORCH_VERIFY_RESULT " | jq -e . & > /dev/null; then
@@ -445,7 +461,7 @@ cmd_verify() {
445461 ORCH_ATTEST_OK=true # don't fail if CLI is missing, just note it
446462 fi
447463 else
448- echo " Orchestrator Attestation: present but could not decode (base64+gzip)"
464+ echo " Orchestrator Attestation: present but could not decode (expected base64+gzip or JSON )"
449465 fi
450466 rm -f " $ORCH_EVIDENCE_FILE "
451467 # Both layers must pass for step [4/5] to succeed
0 commit comments