internal

package

v5.23.0 Latest Latest Go to latest Published: Sep 29, 2022 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/containers/image

Links

Open Source Insights

Documentation ¶

Index ¶

func ParanoidUnmarshalJSONObject(data []byte, fieldResolver func(string) interface{}) error
func ParanoidUnmarshalJSONObjectExactFields(data []byte, exactFields map[string]interface{}) error
type InvalidSignatureError
- func NewInvalidSignatureError(msg string) InvalidSignatureError
- func (err InvalidSignatureError) Error() string
type JSONFormatError
- func (err JSONFormatError) Error() string
type SigstorePayloadAcceptanceRules
type UntrustedSigstorePayload
- func NewUntrustedSigstorePayload(dockerManifestDigest digest.Digest, dockerReference string) UntrustedSigstorePayload
- func VerifySigstorePayload(publicKey crypto.PublicKey, unverifiedPayload []byte, ...) (*UntrustedSigstorePayload, error)
- func (s UntrustedSigstorePayload) MarshalJSON() ([]byte, error)
- func (s *UntrustedSigstorePayload) UnmarshalJSON(data []byte) error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ParanoidUnmarshalJSONObject ¶

func ParanoidUnmarshalJSONObject(data []byte, fieldResolver func(string) interface{}) error

ParanoidUnmarshalJSONObject unmarshals data as a JSON object, but failing on the slightest unexpected aspect (including duplicated keys, unrecognized keys, and non-matching types). Uses fieldResolver to determine the destination for a field value, which should return a pointer to the destination if valid, or nil if the key is rejected.

The fieldResolver approach is useful for decoding the Policy.Transports map; using it for structs is a bit lazy, we could use reflection to automate this. Later?

func ParanoidUnmarshalJSONObjectExactFields ¶

func ParanoidUnmarshalJSONObjectExactFields(data []byte, exactFields map[string]interface{}) error

ParanoidUnmarshalJSONObjectExactFields unmarshals data as a JSON object, but failing on the slightest unexpected aspect (including duplicated keys, unrecognized keys, and non-matching types). Each of the fields in exactFields must be present exactly once, and none other fields are accepted.

Types ¶

type InvalidSignatureError ¶

type InvalidSignatureError struct {
	// contains filtered or unexported fields
}

InvalidSignatureError is returned when parsing an invalid signature. This is publicly visible as signature.InvalidSignatureError

func NewInvalidSignatureError ¶

func NewInvalidSignatureError(msg string) InvalidSignatureError

func (InvalidSignatureError) Error ¶

func (err InvalidSignatureError) Error() string

type JSONFormatError ¶

type JSONFormatError string

JSONFormatError is returned when JSON does not match expected format.

func (JSONFormatError) Error ¶

func (err JSONFormatError) Error() string

type SigstorePayloadAcceptanceRules ¶

type SigstorePayloadAcceptanceRules struct {
	ValidateSignedDockerReference      func(string) error
	ValidateSignedDockerManifestDigest func(digest.Digest) error
}

SigstorePayloadAcceptanceRules specifies how to decide whether an untrusted payload is acceptable. We centralize the actual parsing and data extraction in VerifySigstorePayload; this supplies the policy. We use an object instead of supplying func parameters to verifyAndExtractSignature because the functions have the same or similar types, so there is a risk of exchanging the functions; named members of this struct are more explicit.

type UntrustedSigstorePayload ¶

type UntrustedSigstorePayload struct {
	UntrustedDockerManifestDigest digest.Digest
	UntrustedDockerReference      string // FIXME: more precise type?
	UntrustedCreatorID            *string
	// This is intentionally an int64; the native JSON float64 type would allow to represent _some_ sub-second precision,
	// but not nearly enough (with current timestamp values, a single unit in the last place is on the order of hundreds of nanoseconds).
	// So, this is explicitly an int64, and we reject fractional values. If we did need more precise timestamps eventually,
	// we would add another field, UntrustedTimestampNS int64.
	UntrustedTimestamp *int64
}

UntrustedSigstorePayload is a parsed content of a sigstore signature payload (not the full signature)

func NewUntrustedSigstorePayload ¶

func NewUntrustedSigstorePayload(dockerManifestDigest digest.Digest, dockerReference string) UntrustedSigstorePayload

NewUntrustedSigstorePayload returns an UntrustedSigstorePayload object with the specified primary contents and appropriate metadata.

func VerifySigstorePayload ¶

func VerifySigstorePayload(publicKey crypto.PublicKey, unverifiedPayload []byte, unverifiedBase64Signature string, rules SigstorePayloadAcceptanceRules) (*UntrustedSigstorePayload, error)

VerifySigstorePayload verifies unverifiedBase64Signature of unverifiedPayload was correctly created by publicKey, and that its principal components match expected values, both as specified by rules, and returns it. We return an *UntrustedSigstorePayload, although nothing actually uses it, just to double-check against stupid typos.

func (UntrustedSigstorePayload) MarshalJSON ¶

func (s UntrustedSigstorePayload) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface.

func (*UntrustedSigstorePayload) UnmarshalJSON ¶

func (s *UntrustedSigstorePayload) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL