Documentation
¶
Overview ¶
The full specification for the API endpoints can be found at: https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md
Index ¶
- Constants
- Variables
- func NewNPMPublicKeyVerifier(ctx context.Context, npm *Client, trustedRoot *root.TrustedRoot) (*verify.SignedEntityVerifier, error)
- type Attestation
- type AttestationBundle
- type Client
- func (c *Client) GetAttestations(ctx context.Context, name, version string) ([]AttestationBundle, error)
- func (c *Client) GetPackage(ctx context.Context, name string) (*Package, error)
- func (c *Client) GetPackageVersion(ctx context.Context, name, version string) (*PackageVersion, error)
- func (c *Client) GetPublicKeys(ctx context.Context) ([]Key, error)
- type Dist
- type DistTags
- type Key
- type Maintainer
- type Package
- type PackageVersion
- type Provenance
- type Repository
- type Signature
- type User
- type VerificationStatus
- type Verifier
Examples ¶
Constants ¶
View Source
const Host = "registry.npmjs.org"
Variables ¶
View Source
var ( ErrMissingSHA512Digest = errors.New("sha512 digest not found for package's version") ErrMissingPublicKeys = errors.New("no public keys returned by NPM") )
Functions ¶
func NewNPMPublicKeyVerifier ¶
func NewNPMPublicKeyVerifier( ctx context.Context, npm *Client, trustedRoot *root.TrustedRoot, ) (*verify.SignedEntityVerifier, error)
Types ¶
type Attestation ¶
type Attestation struct {
URL string `json:"url"`
Provenance Provenance `json:"attestation"`
}
type AttestationBundle ¶
type Client ¶
func (*Client) GetAttestations ¶
func (*Client) GetPackage ¶
func (*Client) GetPackageVersion ¶
type Dist ¶
type Dist struct {
Integrity string `json:"integrity"`
Shasum string `json:"shasum"`
Tarball string `json:"tarball"`
FileCount int `json:"fileCount"`
UnpackedSize int `json:"unpackedSize"`
Signatures []Signature `json:"signatures"`
Attestations Attestation `json:"attestations"`
NpmSignature string `json:"npm-signature"`
}
type Maintainer ¶
type Package ¶
type Package struct {
ID string `json:"_id"`
Rev string `json:"_rev"`
Name string `json:"name"`
Description string `json:"description"`
DistTags DistTags `json:"dist-tags"`
Versions map[string]PackageVersion `json:"versions"`
Readme string `json:"readme"`
Maintainers []Maintainer `json:"maintainers"`
Time map[string]time.Time `json:"time"`
ReadmeFilename string `json:"readmeFilename"`
Keywords []string `json:"keywords"`
Users map[string]bool `json:"users"`
Homepage string `json:"homepage"`
}
type PackageVersion ¶
type PackageVersion struct {
Name string `json:"name"`
Description string `json:"description"`
Version string `json:"version"`
Repository Repository `json:"repository"`
Dependencies map[string]string `json:"dependencies"`
DevDependencies map[string]string `json:"devDependencies"`
GitHead string `json:"gitHead"`
ID string `json:"_id"`
NodeVersion string `json:"_nodeVersion"`
NpmVersion string `json:"_npmVersion"`
Dist Dist `json:"dist"`
NpmUser User `json:"_npmUser"`
HasShrinkwrap bool `json:"_hasShrinkwrap"`
}
Some additional fields exist but they can have multiple types. This causes errors at json.Unmarshal time if the field does not have the righ type. There are simply excluded them from the struct for now as they are not used elsewhere in the code.
type Provenance ¶
type Provenance struct {
PredicateType string `json:"predicateType"`
}
type Repository ¶
func (*Repository) UnmarshalJSON ¶
func (r *Repository) UnmarshalJSON(data []byte) error
The `Repository` field in `PackageVersion` can have multiple types.
type VerificationStatus ¶
type VerificationStatus struct {
URL string
SHA512 string
InferredIssuer string
HasAttestations bool
Attestation *verify.VerificationResult
AttestationError error
Provenance *verify.VerificationResult
ProvenanceError error
}
type Verifier ¶
type Verifier struct {
NPM *Client
SigStore *verify.SignedEntityVerifier
NPMPublicKey *verify.SignedEntityVerifier
}
func (*Verifier) Verify ¶
func (v *Verifier) Verify(ctx context.Context, pkg *PackageVersion) (*VerificationStatus, error)
Example ¶
package main
import (
"context"
"log"
"github.com/DataDog/go-attestations-verifier/internal/httputil"
"github.com/DataDog/go-attestations-verifier/pkg/npm"
)
func main() {
ctx := context.Background()
npmClient := &npm.Client{HTTP: httputil.DefaultClient()}
pkg, err := npmClient.GetPackageVersion(ctx, "sigstore", "3.0.0")
if err != nil {
log.Fatal(err)
}
verifier, err := npm.NewVerifier(ctx, npmClient)
if err != nil {
log.Fatal(err)
}
status, err := verifier.Verify(ctx, pkg)
if err != nil {
log.Fatal(err)
}
log.Print(status)
}
Output:
Source Files
Click to show internal directories.
Click to hide internal directories.