payload

package
v1.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 15, 2023 License: Apache-2.0 Imports: 3 Imported by: 0

Documentation

Overview

Package payload contains types and utilities related to the Cosign signature format.

Package payload defines a container image

Index

Constants

View Source
const CosignSignatureType = "cosign container image signature"

CosignSignatureType is the value of `critical.type` in a SimpleContainerImage payload.

Variables

This section is empty.

Functions

This section is empty.

Types

type Cosign

type Cosign struct {
	Image name.Digest
	// ClaimedIdentity is what the signer claims the image to be; usually a registry.com/…/repo:tag, but can also use a digest instead.
	// ALMOST ALL consumers MUST verify that ClaimedIdentity in the signature is correct given how user refers to the image;
	// e.g. if the user asks to access a signed image example.com/repo/mysql:3.14,
	// it is ALMOST ALWAYS necessary to validate that ClaimedIdentity = example.com/repo/mysql:3.14
	//
	// Considerations:
	// - The user might refer to an image using a digest (example.com/repo/mysql@sha256:…); in that case the registry/…/repo should still match
	// - If the image is multi-arch, ClaimedIdentity usually refers to the top-level multi-arch image index also on the per-arch images
	//   (possibly even if ClaimedIdentity contains a digest!)
	// - Older versions of cosign generate signatures where ClaimedIdentity only contains a registry/…/repo ; signature consumers should allow users
	//   to determine whether such images should be accepted (and, long-term, the default SHOULD be to reject them)
	ClaimedIdentity string
	Annotations     map[string]interface{}
}

Cosign describes a container image signed using Cosign

func (Cosign) MarshalJSON

func (p Cosign) MarshalJSON() ([]byte, error)

MarshalJSON marshals the container signature into a []byte of JSON data

func (Cosign) SimpleContainerImage

func (p Cosign) SimpleContainerImage() SimpleContainerImage

SimpleContainerImage returns information about a container image in the github.com/containers/image/signature format

func (*Cosign) UnmarshalJSON

func (p *Cosign) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals []byte of JSON data into a container signature object

type Critical

type Critical struct {
	Identity Identity `json:"identity"` // Identity claimed identity of the image
	Image    Image    `json:"image"`    // Image identifies the container that the signature applies to
	Type     string   `json:"type"`     // Type must be 'atomic container signature'
}

Critical data critical to correctly evaluating the validity of a signature

type Identity

type Identity struct {
	DockerReference string `json:"docker-reference"` // DockerReference is a reference used to refer to or download the image
}

Identity is the claimed identity of the image

type Image

type Image struct {
	DockerManifestDigest string `json:"docker-manifest-digest"` // DockerManifestDigest the manifest digest of the signed container image
}

Image identifies the container image that the signature applies to

type SimpleContainerImage

type SimpleContainerImage struct {
	Critical Critical               `json:"critical"` // Critical data critical to correctly evaluating the validity of the signature
	Optional map[string]interface{} `json:"optional"` // Optional optional metadata about the image
}

SimpleContainerImage describes the structure of a basic container image signature payload, as defined at: https://github.com/containers/image/blob/main/docs/containers-signature.5.md#json-data-format

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL