witness

package module
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: Apache-2.0 Imports: 43 Imported by: 4

README

go-witness

A client library for Witness, written in Go.

Go Reference Go Report Card OpenSSF Best Practices OpenSSF Scorecard FOSSA Status

Status

This library is currently pre-1.0 and therefore the API may be subject to breaking changes.

Features

  • Creation and signing of in-toto attestations
  • Verification of in-toto attestations and associated signatures with:
  • A growing list of attestor types defined under a common interface
  • A selection of attestation sources to search for attestation collections

Documentation

For more detail regarding the library itself, we recommend viewing pkg.go.dev. For the documentation of the witness project, please view the main witness repository.

Requirements

In order to effectively contribute to this library, you will need:

  • A Unix-compatible Operating System
  • GNU Make
  • Go 1.19

Running Tests

This repository uses Go tests for testing. You can run these tests by executing make test.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Sign

func Sign(r io.Reader, dataType string, w io.Writer, opts ...dsse.SignOption) error

func VerifySignature

func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelope, error)

Types

type RunOption

type RunOption func(ro *runOptions)

func RunWithAttestationOpts

func RunWithAttestationOpts(opts ...attestation.AttestationContextOption) RunOption

RunWithAttestationOpts takes in any AttestationContextOptions and forwards them to the context that Run creates

func RunWithAttestors

func RunWithAttestors(attestors []attestation.Attestor) RunOption

RunWithAttestors defines which attestors should be run and added to the resulting AttestationCollection

func RunWithInsecure added in v0.4.0

func RunWithInsecure(insecure bool) RunOption

RunWithInsecure will allow attestations to be generated unsigned. If insecure is true, RunResult will not contain a signed DSSE envelope

func RunWithSigners added in v0.4.0

func RunWithSigners(signers ...cryptoutil.Signer) RunOption

RunWithSigners configures the signers that will be used to sign the DSSE envelope containing the generated attestation collection.

func RunWithTimestampers

func RunWithTimestampers(ts ...timestamp.Timestamper) RunOption

RunWithTimestampers will timestamp any signatures created on the DSSE time envelope with the provided timestampers

type RunResult

type RunResult struct {
	Collection     attestation.Collection
	SignedEnvelope dsse.Envelope
	AttestorName   string
}

RunResult contains the generated attestation collection as well as the signed DSSE envelope, if one was created.

func Run deprecated

func Run(stepName string, opts ...RunOption) (RunResult, error)

Deprecated: Use RunWithExports instead

func RunWithExports added in v0.4.0

func RunWithExports(stepName string, opts ...RunOption) ([]RunResult, error)

type VerifyOption

type VerifyOption func(*verifyOptions)

func VerifyWithAttestorOptions added in v0.4.0

func VerifyWithAttestorOptions(opts ...policyverify.Option) VerifyOption

VerifyWithAttestorOptions forwards the provided options to the policyverify attestor.

func VerifyWithCollectionSource

func VerifyWithCollectionSource(source source.Sourcer) VerifyOption

VerifyWithCollectionSource configures the policy engine's sources for signed attestation collections. For example: disk or archivista are two typical sources.

func VerifyWithKMSProviderOptions added in v0.7.0

func VerifyWithKMSProviderOptions(opts map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) VerifyOption

func VerifyWithPolicyCAIntermediates added in v0.2.3

func VerifyWithPolicyCAIntermediates(certs []*x509.Certificate) VerifyOption

func VerifyWithPolicyCARoots added in v0.2.2

func VerifyWithPolicyCARoots(certs []*x509.Certificate) VerifyOption

func VerifyWithPolicyCertConstraints added in v0.3.0

func VerifyWithPolicyCertConstraints(commonName string, dnsNames []string, emails []string, organizations []string, uris []string) VerifyOption

func VerifyWithPolicyFulcioCertExtensions added in v0.4.0

func VerifyWithPolicyFulcioCertExtensions(extensions certificate.Extensions) VerifyOption

func VerifyWithPolicyTimestampAuthorities added in v0.2.2

func VerifyWithPolicyTimestampAuthorities(verifiers []timestamp.TimestampVerifier) VerifyOption

func VerifyWithRunOptions added in v0.4.0

func VerifyWithRunOptions(opts ...RunOption) VerifyOption

VerifyWithRunOptions forwards the provided RunOptions to the Run function that Verify calls.

func VerifyWithSigners added in v0.4.0

func VerifyWithSigners(signers ...cryptoutil.Signer) VerifyOption

VerifyWithSigners will configure the provided signers to be used to sign a DSSE envelope with the resulting policyverify attestor. See VerifyWithRunOptions for additional options.

func VerifyWithSubjectDigests

func VerifyWithSubjectDigests(subjectDigests []cryptoutil.DigestSet) VerifyOption

VerifyWithSubjectDigests configured the "seed" subject digests to start evaluating a policy. This is typically the digest of the software artifact or some other identifying digest.

type VerifyResult added in v0.4.0

type VerifyResult struct {
	RunResult
	VerificationSummary slsa.VerificationSummary
	StepResults         map[string]policy.StepResult
}

func Verify

func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers []cryptoutil.Verifier, opts ...VerifyOption) (VerifyResult, error)

Verify verifies a set of attestations against a provided policy. The set of attestations that satisfy the policy will be returned if verifiation is successful.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL