witness

package module
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 13, 2024 License: Apache-2.0 Imports: 40 Imported by: 4

README

go-witness

A client library for Witness, written in Go.

Go Reference Go Report Card OpenSSF Best Practices OpenSSF Scorecard FOSSA Status

Status

This library is currently pre-1.0 and therefore the API may be subject to breaking changes.

Features

  • Creation and signing of in-toto attestations
  • Verification of in-toto attestations and associated signatures with:
  • A growing list of attestor types defined under a common interface
  • A selection of attestation sources to search for attestation collections

Documentation

For more detail regarding the library itself, we recommend viewing pkg.go.dev. For the documentation of the witness project, please view the main witness repository.

Requirements

In order to effectively contribute to this library, you will need:

  • A Unix-compatible Operating System
  • GNU Make
  • Go 1.19

Running Tests

This repository uses Go tests for testing. You can run these tests by executing make test.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Sign 

func Sign(r io.Reader, dataType string, w io.Writer, opts ...dsse.SignOption) error

func VerifySignature 

func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelope, error)

Types

type RunOption 

type RunOption func(ro *runOptions)

func RunWithAttestationOpts 

func RunWithAttestationOpts(opts ...attestation.AttestationContextOption) RunOption

RunWithAttestationOpts takes in any AttestationContextOptions and forwards them to the context that Run creates

func RunWithAttestors 

func RunWithAttestors(attestors []attestation.Attestor) RunOption

RunWithAttestors defines which attestors should be run and added to the resulting AttestationCollection

func RunWithInsecure added in v0.4.0 

func RunWithInsecure(insecure bool) RunOption

RunWithInsecure will allow attestations to be generated unsigned. If insecure is true, RunResult will not contain a signed DSSE envelope

func RunWithSigners added in v0.4.0 

func RunWithSigners(signers ...cryptoutil.Signer) RunOption

RunWithSigners configures the signers that will be used to sign the DSSE envelope containing the generated attestation collection.

func RunWithTimestampers 

func RunWithTimestampers(ts ...timestamp.Timestamper) RunOption

RunWithTimestampers will timestamp any signatures created on the DSSE time envelope with the provided timestampers

type RunResult 

type RunResult struct {
	Collection     attestation.Collection
	SignedEnvelope dsse.Envelope
	AttestorName   string
}

RunResult contains the generated attestation collection as well as the signed DSSE envelope, if one was created.

func Run deprecated 

func Run(stepName string, opts ...RunOption) (RunResult, error)

Deprecated: Use RunWithExports instead

func RunWithExports added in v0.4.0 

func RunWithExports(stepName string, opts ...RunOption) ([]RunResult, error)

type VerifyOption 

type VerifyOption func(*verifyOptions)

func VerifyWithAttestorOptions added in v0.4.0 

func VerifyWithAttestorOptions(opts ...policyverify.Option) VerifyOption

VerifyWithAttestorOptions forwards the provided options to the policyverify attestor.

func VerifyWithCollectionSource 

func VerifyWithCollectionSource(source source.Sourcer) VerifyOption

VerifyWithCollectionSource configures the policy engine's sources for signed attestation collections. For example: disk or archivista are two typical sources.

func VerifyWithPolicyCAIntermediates added in v0.2.3 

func VerifyWithPolicyCAIntermediates(certs []*x509.Certificate) VerifyOption

func VerifyWithPolicyCARoots added in v0.2.2 

func VerifyWithPolicyCARoots(certs []*x509.Certificate) VerifyOption

func VerifyWithPolicyCertConstraints added in v0.3.0 

func VerifyWithPolicyCertConstraints(commonName string, dnsNames []string, emails []string, organizations []string, uris []string) VerifyOption

func VerifyWithPolicyFulcioCertExtensions added in v0.4.0 

func VerifyWithPolicyFulcioCertExtensions(extensions certificate.Extensions) VerifyOption

func VerifyWithPolicyTimestampAuthorities added in v0.2.2 

func VerifyWithPolicyTimestampAuthorities(verifiers []timestamp.TimestampVerifier) VerifyOption

func VerifyWithRunOptions added in v0.4.0 

func VerifyWithRunOptions(opts ...RunOption) VerifyOption

VerifyWithRunOptions forwards the provided RunOptions to the Run function that Verify calls.

func VerifyWithSigners added in v0.4.0 

func VerifyWithSigners(signers ...cryptoutil.Signer) VerifyOption

VerifyWithSigners will configure the provided signers to be used to sign a DSSE envelope with the resulting policyverify attestor. See VerifyWithRunOptions for additional options.

func VerifyWithSubjectDigests 

func VerifyWithSubjectDigests(subjectDigests []cryptoutil.DigestSet) VerifyOption

VerifyWithSubjectDigests configured the "seed" subject digests to start evaluating a policy. This is typically the digest of the software artifact or some other identifying digest.

type VerifyResult added in v0.4.0 

type VerifyResult struct {
	RunResult
	VerificationSummary slsa.VerificationSummary
	StepResults         map[string]policy.StepResult
}

func Verify 

func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers []cryptoutil.Verifier, opts ...VerifyOption) (VerifyResult, error)

Verify verifies a set of attestations against a provided policy. The set of attestations that satisfy the policy will be returned if verifiation is successful.

Source Files

View all Source files

Directories

Path Synopsis
aws-iid
commandrun
environment
file
gcp-iit
git
github
gitlab
jwt
link
material
maven
oci
omnitrail
policyverify
product
sarif
sbom
slsa
internal
attestors
policy
test
file
fulcio
kms
kms/aws
kms/gcp
spiffe
vault

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.