cosign

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 30, 2023 License: Apache-2.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrAnnotationsUnmatched = cosign.NewVerificationError("annotations unmatched")
View Source
var (
	PubkeyPrefixPattern = regexp.MustCompile(`^-----BEGIN (RSA |ED25519 |ECDSA ){0,1}PUBLIC KEY-----\n(.*\n)+-----END (RSA |ED25519 |ECDSA ){0,1}PUBLIC KEY-----\s*$`)
)

Functions

func DecodePEM

func DecodePEM(raw []byte, signatureAlgorithm crypto.Hash) (signature.Verifier, error)

func EnsureReferences

func EnsureReferences(ctx context.Context, c client.Reader, img string, namespace string, opts *VerifyOpts) error

EnsureReferences will enrich the VerifyOpts with the image digest and signature reference. It's outsourced here, so we can ensure that it's used as few times as possible to reduce the number of potential GET requests to the registry which would count against potential rate limits.

func FindSignature

func FindSignature(imageDigest name.Digest, opts ...remote.Option) (name.Tag, ggcrv1.Hash, error)

func FindSignatureImage

func FindSignatureImage(imageRef name.Reference, opts ...remote.Option) (name.Tag, ggcrv1.Image, error)

func GetSignatureCacheRepository

func GetSignatureCacheRepository(ctx context.Context, c client.Reader, namespace string) (name.Repository, error)

func LoadVerifiers

func LoadVerifiers(ctx context.Context, keyRef string, algorithm string) (verifiers []signature.Verifier, err error)

func ParseSSHPublicKey

func ParseSSHPublicKey(keystr string) (crypto.PublicKey, error)

func PemEncodeCryptoPublicKey

func PemEncodeCryptoPublicKey(pubKey crypto.PublicKey) ([]byte, string, error)

func PemEncodeSSHPublicKey

func PemEncodeSSHPublicKey(key ssh.PublicKey) ([]byte, error)

func SimpleDigest

func SimpleDigest(ref name.Reference, opts ...remote.Option) (string, error)

SimpleDigest is an adaption of crane.Digest

  • it returns the sha256 hash of the remote image at ref.
  • removed: it does not support platform specific images (we don't need that here)
  • added: it returns an error if the image is not found on first try with HEAD (to lower the number of GET requests against potentially rate limited registries)

func UnmarshalPEMToPublicKey

func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error)

UnmarshalPEMToPublicKey converts a PEM-encoded byte slice into a crypto.PublicKey

func VerifySignature

func VerifySignature(ctx context.Context, opts VerifyOpts) error

VerifySignature checks if the image is signed with the given key and if the annotations match the given rules This does a lot of image and image manifest juggling to fetch artifacts, digests, etc. from the registry, so we have to be careful to not do too many GET requests that count against registry rate limits (e.g. for Docker Hub). Crane uses HEAD (with GET as a fallback) wherever it can, so it's a good choice here e.g. for fetching digests.

Types

type AcornPublicKey

type AcornPublicKey struct {
	ID          string `json:"id,omitempty"`
	Key         string `json:"key,omitempty"`
	Fingerprint string `json:"fingerprint,omitempty"`
}

type ErrNoSupportedKeys

type ErrNoSupportedKeys struct {
	Username string
}

func (ErrNoSupportedKeys) Error

func (e ErrNoSupportedKeys) Error() string

type GitHubPublicKey

type GitHubPublicKey struct {
	ID  int    `json:"id,omitempty"`
	Key string `json:"key,omitempty"`
}

type Keys

type Keys struct {
	// contains filtered or unexported fields
}

type KeysBytes

type KeysBytes struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

func ImportKeyPair

func ImportKeyPair(keyPath string, pass []byte) (*KeysBytes, error)

func (*KeysBytes) Password

func (k *KeysBytes) Password() []byte

type VerifyOpts

type VerifyOpts struct {
	ImageRef           name.Digest
	SignatureRef       name.Reference
	Namespace          string
	AnnotationRules    v1.SignatureAnnotations
	Key                string
	SignatureAlgorithm string
	RemoteOpts         []remote.Option
	NoCache            bool
	Verifiers          []signature.Verifier
}

func (*VerifyOpts) WithRemoteOpts

func (o *VerifyOpts) WithRemoteOpts(ctx context.Context, c client.Reader, namespace string, remoteOpts ...remote.Option) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL