Documentation ¶
Index ¶
Constants ¶
const ( // ReleaseAnnotationConfigMapVerifier is an annotation set on a config map in the // release payload to indicate that this config map controls signing for the payload. // Only the first config map within the payload should be used, regardless of whether // it has data. See NewFromConfigMapData for more. ReleaseAnnotationConfigMapVerifier = "release.openshift.io/verification-config-map" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Interface ¶
type Interface interface { // Verify should return nil if the provided release digest has sufficient signatures to be considered // valid. It should return an error in all other cases. Verify(ctx context.Context, releaseDigest string) error // Signatures returns a copy of any cached signatures that have been validated // so far. It may return no signatures. Signatures() map[string][][]byte // Verifiers returns a copy of the verifiers in this payload. Verifiers() map[string]openpgp.EntityList // AddStore adds additional stores for signature verification. AddStore(additionalStore store.Store) }
Interface performs verification of the provided content. The default implementation in this package uses the container signature format defined at https://github.com/containers/image to authenticate that a given release image digest has been signed by a trusted party.
var Reject Interface = rejectVerifier{}
Reject fails always fails verification.
func NewFromManifests ¶
func NewFromManifests(manifests []manifest.Manifest, clientBuilder sigstore.HTTPClient) (Interface, error)
NewFromManifests fetches the first config map in the manifest list with the correct annotation. It returns an error if the data is not valid, or no verifier if a config map wth the required annotation is not found. See the verify package for more details on the algorithm for verification. If the annotation is set, a verifier or error is always returned.
func NewReleaseVerifier ¶
NewReleaseVerifier creates a release verifier for the provided inputs.
type PersistentSignatureStore ¶
type PersistentSignatureStore interface { // Store saves the provided signatures or return an error. If context // reaches its deadline the store should be cancelled. Store(ctx context.Context, signatures map[string][][]byte) error }
PersistentSignatureStore is a store that can save signatures for later recovery.
type SignatureSource ¶
type SignatureSource interface { // Signatures returns a list of valid signatures for release digests. Signatures() map[string][][]byte }
SignatureSource provides a set of signatures by digest to save.
type StorePersister ¶
type StorePersister struct {
// contains filtered or unexported fields
}
StorePersister saves signatures into store periodically.
func NewSignatureStorePersister ¶
func NewSignatureStorePersister(dst PersistentSignatureStore, src SignatureSource) *StorePersister
NewSignatureStorePersister creates an instance that can save signatures into the destination store.
func (*StorePersister) Run ¶
func (p *StorePersister) Run(ctx context.Context, interval time.Duration)
Run flushes signatures to the provided store every interval or until the context is finished. After context is done, it runs one more time to attempt to flush the current state. It does not return until that last store completes.
Directories ¶
Path | Synopsis |
---|---|
Package store defines generic interfaces for signature stores.
|
Package store defines generic interfaces for signature stores. |
memory
Package memory implements an in-memory signature store.
|
Package memory implements an in-memory signature store. |
parallel
Package parallel combines several signature stores in a single store.
|
Package parallel combines several signature stores in a single store. |
serial
Package serial combines several signature stores in a single store.
|
Package serial combines several signature stores in a single store. |
sigstore
Package sigstore retrieves signatures using the sig-store protocol described in [1].
|
Package sigstore retrieves signatures using the sig-store protocol described in [1]. |