Documentation
¶
Overview ¶
Package payload contains types and utilities related to the Cosign signature format.
Package payload defines a container image
Index ¶
Constants ¶
const CosignSignatureType = "cosign container image signature"
CosignSignatureType is the value of `critical.type` in a SimpleContainerImage payload.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Cosign ¶
type Cosign struct {
Image name.Digest
// ClaimedIdentity is what the signer claims the image to be; usually a registry.com/…/repo:tag, but can also use a digest instead.
// ALMOST ALL consumers MUST verify that ClaimedIdentity in the signature is correct given how user refers to the image;
// e.g. if the user asks to access a signed image example.com/repo/mysql:3.14,
// it is ALMOST ALWAYS necessary to validate that ClaimedIdentity = example.com/repo/mysql:3.14
//
// Considerations:
// - The user might refer to an image using a digest (example.com/repo/mysql@sha256:…); in that case the registry/…/repo should still match
// - If the image is multi-arch, ClaimedIdentity usually refers to the top-level multi-arch image index also on the per-arch images
// (possibly even if ClaimedIdentity contains a digest!)
// - Older versions of cosign generate signatures where ClaimedIdentity only contains a registry/…/repo ; signature consumers should allow users
// to determine whether such images should be accepted (and, long-term, the default SHOULD be to reject them)
ClaimedIdentity string
Annotations map[string]interface{}
}
Cosign describes a container image signed using Cosign
func (Cosign) MarshalJSON ¶
MarshalJSON marshals the container signature into a []byte of JSON data
func (Cosign) SimpleContainerImage ¶
func (p Cosign) SimpleContainerImage() SimpleContainerImage
SimpleContainerImage returns information about a container image in the github.com/containers/image/signature format
func (*Cosign) UnmarshalJSON ¶
UnmarshalJSON unmarshals []byte of JSON data into a container signature object
type Critical ¶
type Critical struct {
Identity Identity `json:"identity"` // Identity claimed identity of the image
Image Image `json:"image"` // Image identifies the container that the signature applies to
Type string `json:"type"` // Type must be 'atomic container signature'
}
Critical data critical to correctly evaluating the validity of a signature
type Identity ¶
type Identity struct {
DockerReference string `json:"docker-reference"` // DockerReference is a reference used to refer to or download the image
}
Identity is the claimed identity of the image
type Image ¶
type Image struct {
DockerManifestDigest string `json:"docker-manifest-digest"` // DockerManifestDigest the manifest digest of the signed container image
}
Image identifies the container image that the signature applies to
type SimpleContainerImage ¶
type SimpleContainerImage struct {
Critical Critical `json:"critical"` // Critical data critical to correctly evaluating the validity of the signature
Optional map[string]interface{} `json:"optional"` // Optional optional metadata about the image
}
SimpleContainerImage describes the structure of a basic container image signature payload, as defined at: https://github.com/containers/image/blob/main/docs/containers-signature.5.md#json-data-format
Source Files