Fetch attestation by artifact sha256

[kpcyrd]

Specifically for repro-threshold, it's currently downloading the entire .deb, then parses package metadata needed to search for relevant attestations.

However, apt is often already telling us the expected sha256 of the file:

[2026-03-30T22:43:31Z DEBUG repro_threshold::transport::apt] Received acquire request: Request { status: "600 URI Acquire", headers: {"Expected-Checksum-FileSize": "913304", "Expected-MD5Sum": "6966b3f0d063977c87114a6701aad856", "Expected-SHA256": "72c7a384452ea9c961bf251f4719a3559638ae2b47c6bee63c9bce37e930b68f", "Filename": "/var/cache/apt/archives/partial/zsh_5.9-8+b22_amd64.deb", "Target-Architecture": "amd64", "Target-Base-URI": "reproduced+http://deb.debian.org/debian/", "Target-Codename": "sid", "Target-Component": "main", "Target-Release": "sid", "Target-Repo-URI": "reproduced+http://deb.debian.org/debian/", "Target-Site": "reproduced+http://deb.debian.org/debian", "Target-Suite": "unstable", "Target-Type": "deb", "URI": "reproduced+http://deb.debian.org/debian/pool/main/z/zsh/zsh_5.9-8%2bb22_amd64.deb"} }

We could download the attentions much sooner (and also show the "threshold not reached" error much earlier, instead of having the user download hundreds of megabytes before informing the user the package doesn't qualify) if we had an endpoint to fetch attestations like:

/api/v1/artifacts/sha256:72c7a384452ea9c961bf251f4719a3559638ae2b47c6bee63c9bce37e930b68f/attestation

There may be multiple (successful) builds for that artifact, we would either show the earliest, or we return a list with all of them.