Documentation
¶
Index ¶
- Variables
- func EnsureReferences(ctx context.Context, c client.Reader, img string, opts *VerifyOpts) error
- func LoadKey(ctx context.Context, keyRef string, algorithm string) (verifier signature.Verifier, err error)
- func SimpleDigest(ref name.Reference, opt ...crane.Option) (string, error)
- func VerifySignature(ctx context.Context, opts VerifyOpts) error
- type VerifyOpts
Constants ¶
This section is empty.
Variables ¶
var ErrAnnotationsUnmatched = cosign.NewVerificationError("annotations unmatched")
Functions ¶
func EnsureReferences ¶
EnsureReferences will enrich the VerifyOpts with the image digest and signature reference. It's outsourced here, so we can ensure that it's used as few times as possible to reduce the number of potential GET requests to the registry which would count against potential rate limits.
func SimpleDigest ¶
SimpleDigest is an adaption of crane.Digest
- it returns the sha256 hash of the remote image at ref.
- removed: it does not support platform specific images (we don't need that here)
- added: it returns an error if the image is not found on first try with HEAD (to lower the number of GET requests against potentially rate limited registries)
func VerifySignature ¶
func VerifySignature(ctx context.Context, opts VerifyOpts) error
VerifySignature checks if the image is signed with the given key and if the annotations match the given rules This does a lot of image and image manifest juggling to fetch artifacts, digests, etc. from the registry, so we have to be careful to not do too many GET requests that count against registry rate limits (e.g. for Docker Hub). Crane uses HEAD (with GET as a fallback) wherever it can, so it's a good choice here e.g. for fetching digests.
Source Files