GO-2024-2727: Constellation has pods exposed to peers in VPC in github.com/edgelesssys/constellation

sigstore

package

v2.14.1 Latest Latest Go to latest Published: Dec 27, 2023 License: AGPL-3.0 Imports: 22 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/edgelesssys/constellation

Links

Open Source Insights

Documentation ¶

Overview ¶

Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only

Package sigstore is used to verify Constellation components using sigstore, cosign and rekor.

Index ¶

func IsBase64(signature []byte) error
func SignContent(password, encryptedPrivateKey, content []byte) ([]byte, error)
func VerifyWithRekor(ctx context.Context, publicKey []byte, verifier rekorVerifier, hash string) error
type CosignVerifier
- func (c CosignVerifier) VerifySignature(content, signature []byte) error
type Rekor
- func NewRekor() (*Rekor, error)
- func (r *Rekor) SearchByHash(ctx context.Context, hash string) ([]string, error)
- func (r *Rekor) VerifyEntry(ctx context.Context, uuid, publicKey string) error
type Signer
- func NewSigner(cosignPwd, privKey []byte) Signer
type Verifier
- func NewCosignVerifier(pem []byte) (Verifier, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func IsBase64 ¶ added in v2.11.0

func IsBase64(signature []byte) error

IsBase64 checks if the given byte slice is base64 encoded.

func SignContent ¶ added in v2.8.0

func SignContent(password, encryptedPrivateKey, content []byte) ([]byte, error)

SignContent signs the content with the cosign encrypted private key and corresponding cosign password.

func VerifyWithRekor ¶ added in v2.8.0

func VerifyWithRekor(ctx context.Context, publicKey []byte, verifier rekorVerifier, hash string) error

VerifyWithRekor checks if the hash of a signature is present in Rekor.

Types ¶

type CosignVerifier ¶ added in v2.8.0

type CosignVerifier struct {
	// contains filtered or unexported fields
}

CosignVerifier wraps a public key that can be used for verifying signatures.

func (CosignVerifier) VerifySignature ¶ added in v2.8.0

func (c CosignVerifier) VerifySignature(content, signature []byte) error

VerifySignature checks if the signature of content can be verified using publicKey. signature is expected to be base64 encoded. publicKey is expected to be PEM encoded.

type Rekor ¶ added in v2.2.0

type Rekor struct {
	// contains filtered or unexported fields
}

Rekor allows to interact with the transparency log at: https://rekor.sigstore.dev For more information see Rekor's Swagger definition: https://www.sigstore.dev/swagger/#/

func NewRekor ¶ added in v2.2.0

func NewRekor() (*Rekor, error)

NewRekor creates a new instance of Rekor to interact with the transparency log at: https://rekor.sigstore.dev

func (*Rekor) SearchByHash ¶ added in v2.2.0

func (r *Rekor) SearchByHash(ctx context.Context, hash string) ([]string, error)

SearchByHash searches for the hash of an artifact in Rekor transparency log. A list of UUIDs will be returned, since multiple entries could be present for a single artifact in Rekor.

func (*Rekor) VerifyEntry ¶ added in v2.2.0

func (r *Rekor) VerifyEntry(ctx context.Context, uuid, publicKey string) error

VerifyEntry performs log entry verification (see verifyLogEntry) and verifies that the provided publicKey was used to sign the entry. An error is returned if any verification fails.

type Signer ¶ added in v2.9.0

type Signer interface {
	Sign(content []byte) (res []byte, err error)
}

Signer is used to sign the version file. Used for unit testing.

func NewSigner ¶ added in v2.9.0

func NewSigner(cosignPwd, privKey []byte) Signer

NewSigner returns a new Signer.

type Verifier ¶ added in v2.9.0

type Verifier interface {
	VerifySignature(content, signature []byte) error
}

Verifier checks if the signature of content can be verified.

func NewCosignVerifier ¶ added in v2.10.0

func NewCosignVerifier(pem []byte) (Verifier, error)

NewCosignVerifier unmarshalls and validates the given pem encoded public key and returns a new CosignVerifier.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
keyselect Package keyselect is used to select the correct public key for signature verification.	Package keyselect is used to select the correct public key for signature verification.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL