Documentation
¶
Index ¶
- Constants
- type Hash
- type HashScheme
- type PackageAuthentication
- func NewArchiveChecksumAuthentication(wantSHA256Sum [sha256.Size]byte) PackageAuthentication
- func NewMatchingChecksumAuthentication(document []byte, filename string, wantSHA256Sum [sha256.Size]byte) PackageAuthentication
- func NewSignatureAuthentication(document, signature []byte, keys []SigningKey) PackageAuthentication
- func PackageAuthenticationAll(checks ...PackageAuthentication) PackageAuthentication
- type PackageAuthenticationHashes
- type PackageAuthenticationResult
- type SigningKey
Constants ¶
const HashicorpPartnersKey = `` /* 3194-byte string literal not displayed */
HashicorpPartnersKey is a key created by HashiCorp, used to generate and verify trust signatures for Partner tier providers.
const HashicorpPublicKey = `` /* 7716-byte string literal not displayed */
HashicorpPublicKey is the HashiCorp public key, also available at https://www.hashicorp.com/security
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Hash ¶
type Hash string
Hash is a specially-formatted string representing a checksum of a package or the contents of the package.
func HashLegacyZipSHAFromSHA ¶
HashLegacyZipSHAFromSHA is a convenience method to produce the schemed-string hash format from an already-calculated hash of a provider .zip archive.
func PackageHashLegacyZipSHA ¶
PackageHashLegacyZipSHA implements the old provider package hashing scheme of taking a SHA256 hash of the containing .zip archive itself, rather than of the contents of the archive.
type HashScheme ¶
type HashScheme string
HashScheme is an enumeration of schemes.
const ( // HashSchemeZip is the scheme identifier for the legacy hash scheme that applies to distribution archives (.zip files) rather than package contents. HashSchemeZip HashScheme = HashScheme("zh:") )
func (HashScheme) New ¶
func (scheme HashScheme) New(value string) Hash
New creates a new Hash value with the receiver as its scheme and the given raw string as its value.
type PackageAuthentication ¶
type PackageAuthentication interface {
// Authenticate takes the path of a package and returns a PackageAuthenticationResult, or an error if the authentication checks fail.
Authenticate(path string) (*PackageAuthenticationResult, error)
}
PackageAuthentication implementation is responsible for authenticating that a package is what its distributor intended to distribute and that it has not been tampered with.
func NewArchiveChecksumAuthentication ¶
func NewArchiveChecksumAuthentication(wantSHA256Sum [sha256.Size]byte) PackageAuthentication
NewArchiveChecksumAuthentication returns a PackageAuthentication implementation that checks that the original distribution archive matches the given hash.
func NewMatchingChecksumAuthentication ¶
func NewMatchingChecksumAuthentication(document []byte, filename string, wantSHA256Sum [sha256.Size]byte) PackageAuthentication
NewMatchingChecksumAuthentication returns a PackageAuthentication implementation that scans a registry-provided SHA256SUMS document for a specified filename, and compares the SHA256 hash against the expected hash
func NewSignatureAuthentication ¶
func NewSignatureAuthentication(document, signature []byte, keys []SigningKey) PackageAuthentication
NewSignatureAuthentication returns a PackageAuthentication implementation that verifies the cryptographic signature for a package against any of the provided keys.
func PackageAuthenticationAll ¶
func PackageAuthenticationAll(checks ...PackageAuthentication) PackageAuthentication
PackageAuthenticationAll combines several authentications together into a single check value, which passes only if all of the given ones pass.
type PackageAuthenticationHashes ¶
type PackageAuthenticationHashes interface {
PackageAuthentication
// AcceptableHashes returns a set of hashes that this authenticator considers to be valid for the current package or, where possible, equivalent packages on other platforms.
AcceptableHashes() []Hash
}
PackageAuthenticationHashes is an optional interface implemented by PackageAuthentication implementations that are able to return a set of hashes they would consider valid if a given path referred to a package that matched that hash string.
type PackageAuthenticationResult ¶
type PackageAuthenticationResult int
PackageAuthenticationResult is returned from a PackageAuthentication implementation which implements Stringer.
func NewPackageAuthenticationResult ¶
func NewPackageAuthenticationResult(res PackageAuthenticationResult) *PackageAuthenticationResult
func (PackageAuthenticationResult) SignedByAnyParty ¶
func (result PackageAuthenticationResult) SignedByAnyParty() bool
SignedByAnyParty returns whether the package was authenticated as signed by either HashiCorp or by a third-party.
func (PackageAuthenticationResult) SignedByHashiCorp ¶
func (result PackageAuthenticationResult) SignedByHashiCorp() bool
SignedByHashiCorp returns whether the package was authenticated as signed by HashiCorp.
func (*PackageAuthenticationResult) String ¶
func (result *PackageAuthenticationResult) String() string
func (PackageAuthenticationResult) ThirdPartySigned ¶
func (result PackageAuthenticationResult) ThirdPartySigned() bool
ThirdPartySigned returns whether the package was authenticated as signed by a party other than HashiCorp.
type SigningKey ¶
type SigningKey struct {
ASCIIArmor string `json:"ascii_armor"`
TrustSignature string `json:"trust_signature"`
}
SigningKey represents a key used to sign packages from a registry, along with an optional trust signature from the registry operator. These are both in ASCII armored OpenPGP format.
Source Files