Documentation
¶
Index ¶
- Variables
- func DecodePEM(raw []byte, signatureAlgorithm crypto.Hash) (signature.Verifier, error)
- func EnsureReferences(ctx context.Context, c client.Reader, img string, namespace string, ...) error
- func FindSignature(imageDigest name.Digest, opts ...remote.Option) (name.Tag, ggcrv1.Hash, error)
- func FindSignatureImage(imageRef name.Reference, opts ...remote.Option) (name.Tag, ggcrv1.Image, error)
- func GetSignatureCacheRepository(ctx context.Context, c client.Reader, namespace string) (name.Repository, error)
- func LoadVerifiers(ctx context.Context, keyRef string, algorithm string) (verifiers []signature.Verifier, err error)
- func ParseSSHPublicKey(keystr string) (crypto.PublicKey, error)
- func PemEncodeCryptoPublicKey(pubKey crypto.PublicKey) ([]byte, string, error)
- func PemEncodeSSHPublicKey(key ssh.PublicKey) ([]byte, error)
- func SimpleDigest(ref name.Reference, opts ...remote.Option) (string, error)
- func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error)
- func VerifySignature(ctx context.Context, opts VerifyOpts) error
- type AcornPublicKey
- type ErrNoSupportedKeys
- type GitHubPublicKey
- type Keys
- type KeysBytes
- type VerifyOpts
Constants ¶
This section is empty.
Variables ¶
var ErrAnnotationsUnmatched = cosign.NewVerificationError("annotations unmatched")
var (
PubkeyPrefixPattern = regexp.MustCompile(`^-----BEGIN (RSA |ED25519 |ECDSA ){0,1}PUBLIC KEY-----\n(.*\n)+-----END (RSA |ED25519 |ECDSA ){0,1}PUBLIC KEY-----\s*$`)
)
Functions ¶
func EnsureReferences ¶
func EnsureReferences(ctx context.Context, c client.Reader, img string, namespace string, opts *VerifyOpts) error
EnsureReferences will enrich the VerifyOpts with the image digest and signature reference. It's outsourced here, so we can ensure that it's used as few times as possible to reduce the number of potential GET requests to the registry which would count against potential rate limits.
func FindSignature ¶
func FindSignatureImage ¶
func LoadVerifiers ¶
func SimpleDigest ¶
SimpleDigest is an adaption of crane.Digest
- it returns the sha256 hash of the remote image at ref.
- removed: it does not support platform specific images (we don't need that here)
- added: it returns an error if the image is not found on first try with HEAD (to lower the number of GET requests against potentially rate limited registries)
func UnmarshalPEMToPublicKey ¶
UnmarshalPEMToPublicKey converts a PEM-encoded byte slice into a crypto.PublicKey
func VerifySignature ¶
func VerifySignature(ctx context.Context, opts VerifyOpts) error
VerifySignature checks if the image is signed with the given key and if the annotations match the given rules This does a lot of image and image manifest juggling to fetch artifacts, digests, etc. from the registry, so we have to be careful to not do too many GET requests that count against registry rate limits (e.g. for Docker Hub). Crane uses HEAD (with GET as a fallback) wherever it can, so it's a good choice here e.g. for fetching digests.
Types ¶
type AcornPublicKey ¶
type ErrNoSupportedKeys ¶
type ErrNoSupportedKeys struct {
Username string
}
func (ErrNoSupportedKeys) Error ¶
func (e ErrNoSupportedKeys) Error() string
Source Files