verify

package
v0.0.0-...-fc703a7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 20, 2024 License: Apache-2.0 Imports: 29 Imported by: 1

Documentation

Index

Constants

View Source
const (
	// ReleaseAnnotationConfigMapVerifier is an annotation set on a config map in the
	// release payload to indicate that this config map controls signing for the payload.
	// Only the first config map within the payload should be used, regardless of whether
	// it has data. See NewFromConfigMapData for more.
	ReleaseAnnotationConfigMapVerifier = "release.openshift.io/verification-config-map"
)

Variables

This section is empty.

Functions

func GetSignaturesAsConfigmap

func GetSignaturesAsConfigmap(digest string, signatures [][]byte) (*corev1.ConfigMap, error)

GetSignaturesAsConfigmap returns the given signatures in a config map. Uses util.DigestToKeyPrefix to replace colon with dash when saving digest to config map.

Types

type Interface

type Interface interface {
	// Verify should return nil if the provided release digest has sufficient signatures to be considered
	// valid. It should return an error in all other cases.
	Verify(ctx context.Context, releaseDigest string) error

	// Signatures returns a copy of any cached signatures that have been validated
	// so far. It may return no signatures.
	Signatures() map[string][][]byte

	// Verifiers returns a copy of the verifiers in this payload.
	Verifiers() map[string]openpgp.EntityList

	// AddStore adds additional stores for signature verification.
	AddStore(additionalStore store.Store)
}

Interface performs verification of the provided content. The default implementation in this package uses the container signature format defined at https://github.com/containers/image to authenticate that a given release image digest has been signed by a trusted party.

var Reject Interface = rejectVerifier{}

Reject fails always fails verification.

func NewFromManifests

func NewFromManifests(manifests []manifest.Manifest, clientBuilder sigstore.HTTPClient) (Interface, error)

NewFromManifests fetches the first config map in the manifest list with the correct annotation. It returns an error if the data is not valid, or no verifier if a config map wth the required annotation is not found. See the verify package for more details on the algorithm for verification. If the annotation is set, a verifier or error is always returned.

func NewReleaseVerifier

func NewReleaseVerifier(verifiers map[string]openpgp.EntityList, store store.Store) Interface

NewReleaseVerifier creates a release verifier for the provided inputs.

type PersistentSignatureStore

type PersistentSignatureStore interface {
	// Store saves the provided signatures or return an error. If context
	// reaches its deadline the store should be cancelled.
	Store(ctx context.Context, signatures map[string][][]byte) error
}

PersistentSignatureStore is a store that can save signatures for later recovery.

type SignatureSource

type SignatureSource interface {
	// Signatures returns a list of valid signatures for release digests.
	Signatures() map[string][][]byte
}

SignatureSource provides a set of signatures by digest to save.

type StorePersister

type StorePersister struct {
	// contains filtered or unexported fields
}

StorePersister saves signatures into store periodically.

func NewSignatureStorePersister

func NewSignatureStorePersister(dst PersistentSignatureStore, src SignatureSource) *StorePersister

NewSignatureStorePersister creates an instance that can save signatures into the destination store.

func (*StorePersister) Run

func (p *StorePersister) Run(ctx context.Context, interval time.Duration)

Run flushes signatures to the provided store every interval or until the context is finished. After context is done, it runs one more time to attempt to flush the current state. It does not return until that last store completes.

Directories

Path Synopsis
Package store defines generic interfaces for signature stores.
Package store defines generic interfaces for signature stores.
memory
Package memory implements an in-memory signature store.
Package memory implements an in-memory signature store.
parallel
Package parallel combines several signature stores in a single store.
Package parallel combines several signature stores in a single store.
serial
Package serial combines several signature stores in a single store.
Package serial combines several signature stores in a single store.
sigstore
Package sigstore retrieves signatures using the sig-store protocol described in [1].
Package sigstore retrieves signatures using the sig-store protocol described in [1].

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL