Documentation
¶
Index ¶
- Constants
- Variables
- func DecodePEM(raw []byte, signatureAlgorithm crypto.Hash) (signature.Verifier, error)
- func EnsureReferences(ctx context.Context, c client.Reader, img string, namespace string, ...) error
- func FindSignature(imageDigest name.Digest, opts ...remote.Option) (name.Tag, ggcrv1.Hash, error)
- func FindSignatureImage(imageRef name.Reference, opts ...remote.Option) (name.Tag, ggcrv1.Image, error)
- func GetDefaultSignatureAnnotations(imageName string) map[string]interface{}
- func GetSignatureCacheRepository(ctx context.Context, c client.Reader, namespace string) (name.Repository, error)
- func ParseSSHPublicKey(keystr string) (crypto.PublicKey, error)
- func PemEncodeCryptoPublicKey(pubKey crypto.PublicKey) ([]byte, string, error)
- func PemEncodeSSHPublicKey(key ssh.PublicKey) ([]byte, error)
- func SimpleDigest(ref name.Reference, opts ...remote.Option) (string, error)
- func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error)
- func VerifiersFromPublicKeyRef(ctx context.Context, keyRef string, algorithm string) (verifiers []signature.Verifier, err error)
- func VerifySignature(ctx context.Context, opts VerifyOpts) error
- type AcornPublicKey
- type ErrNoMatchingSignatures
- type ErrNoSignaturesFound
- type ErrNoSupportedKeys
- type GitHubPublicKey
- type Keys
- type KeysBytes
- type VerificationFailure
- type VerifyOpts
Constants ¶
View Source
const (
SignatureAnnotationSignedName = "acorn.io/signed-name" // If an image was signed by `acorn image sign foo/bar:v1`, this annotation should be set to `foo/bar:v1` (the payload usually only includes the image digest)
)
Variables ¶
View Source
var ( PublicKeyPattern = regexp.MustCompile(`^-----BEGIN (RSA |ED25519 |ECDSA )?PUBLIC KEY-----\n(.*\n)+-----END (RSA |ED25519 |ECDSA )?PUBLIC KEY-----\s*$`) PrivateKeyPattern = regexp.MustCompile(`^-----BEGIN (ENCRYPTED )?(RSA |ED25519 |ECDSA )?PRIVATE KEY-----\n(.*\n)+-----END (ENCRYPTED )?(RSA |ED25519 |ECDSA )?PRIVATE KEY-----\s*$`) )
View Source
var ErrAnnotationsUnmatched = cosign.NewVerificationError("annotations unmatched")
Functions ¶
func EnsureReferences ¶
func EnsureReferences(ctx context.Context, c client.Reader, img string, namespace string, opts *VerifyOpts) error
EnsureReferences will enrich the VerifyOpts with the image digest and signature reference. It's outsourced here, so we can ensure that it's used as few times as possible to reduce the number of potential GET requests to the registry which would count against potential rate limits.
func FindSignature ¶
func FindSignatureImage ¶
func GetDefaultSignatureAnnotations ¶ added in v0.9.0
func SimpleDigest ¶
SimpleDigest is an adaption of crane.Digest
- it returns the sha256 hash of the remote image at ref.
- removed: it does not support platform specific images (we don't need that here)
- added: it returns an error if the image is not found on first try with HEAD (to lower the number of GET requests against potentially rate limited registries)
func UnmarshalPEMToPublicKey ¶
UnmarshalPEMToPublicKey converts a PEM-encoded byte slice into a crypto.PublicKey
func VerifiersFromPublicKeyRef ¶ added in v0.9.0
func VerifySignature ¶
func VerifySignature(ctx context.Context, opts VerifyOpts) error
VerifySignature checks if the image is signed with the given key and if the annotations match the given rules This does a lot of image and image manifest juggling to fetch artifacts, digests, etc. from the registry, so we have to be careful to not do too many GET requests that count against registry rate limits (e.g. for Docker Hub). Crane uses HEAD (with GET as a fallback) wherever it can, so it's a good choice here e.g. for fetching digests.
Types ¶
type AcornPublicKey ¶
type ErrNoMatchingSignatures ¶ added in v0.9.0
type ErrNoMatchingSignatures struct {
Err error
}
func (*ErrNoMatchingSignatures) Error ¶ added in v0.9.0
func (e *ErrNoMatchingSignatures) Error() string
func (*ErrNoMatchingSignatures) Unwrap ¶ added in v0.9.0
func (e *ErrNoMatchingSignatures) Unwrap() error
type ErrNoSignaturesFound ¶ added in v0.9.0
type ErrNoSignaturesFound struct {
Err error
}
func (*ErrNoSignaturesFound) Error ¶ added in v0.9.0
func (e *ErrNoSignaturesFound) Error() string
func (*ErrNoSignaturesFound) Unwrap ¶ added in v0.9.0
func (e *ErrNoSignaturesFound) Unwrap() error
type ErrNoSupportedKeys ¶
type ErrNoSupportedKeys struct {
Username string
}
func (ErrNoSupportedKeys) Error ¶
func (e ErrNoSupportedKeys) Error() string
type GitHubPublicKey ¶
type KeysBytes ¶
type VerificationFailure ¶ added in v0.9.0
type VerificationFailure struct {
Err error
}
func NewVerificationFailure ¶ added in v0.9.0
func NewVerificationFailure(err error) *VerificationFailure
func (*VerificationFailure) Error ¶ added in v0.9.0
func (e *VerificationFailure) Error() string
func (*VerificationFailure) Unwrap ¶ added in v0.9.0
func (e *VerificationFailure) Unwrap() error
Source Files
Click to show internal directories.
Click to hide internal directories.