slsa

Documentation

Index

• Constants
• func NewCosignSigner(key, pass []byte, id string) (*cosignSigner, error)
• func NewImageReader(fetcher ImageFetcher) *reader
• type Attester
  • func (a *Attester) AttestBuild(build *buildv1alpha2.Build, buildMetadata *cnb.BuildMetadata, pod *corev1.Pod, ...) (intoto.Statement, error)
  • func (*Attester) Sign(ctx context.Context, stmt intoto.Statement, signers ...Signer) ([]byte, error)
  • func (*Attester) Write(ctx context.Context, digestStr string, payload []byte, keychain authn.Keychain) (ggcrv1.Image, string, error)
• type BuilderDependencyFn
  • func WithVersionedObject(kind string, obj K8sObject) BuilderDependencyFn
  • func WithVersionedObjects(kind string, objs []K8sObject) BuilderDependencyFn
• type BuilderID
• type ImageFetcher
• type ImageReader
• type K8sObject
• type LifecycleProvider
• type Signer
  • func NewPKCS8Signer(key []byte, id string) (Signer, error)

Constants

const (
	DssePayloadType   = "application/vnd.dsse.envelope.v1+json"
	IntotoPayloadType = "application/vnd.in-toto+json"
)

const (
	ProjectMetadataLabel = "io.buildpacks.project.metadata"
)

Functions

func NewCosignSigner

func NewCosignSigner(key, pass []byte, id string) (*cosignSigner, error)

NewCosignSigner loads a cosign private key into a dsse signer. The main difference between this signer and the one provided by sigstore's dsse.WrappedSigner is that this signer doesn't compute the PAE when signing

func NewImageReader

func NewImageReader(fetcher ImageFetcher) *reader

Types

type Attester

type Attester struct {
	Version string

	ImageReader       ImageReader
	LifecycleProvider LifecycleProvider

	Images   config.Images
	Features config.FeatureFlags
	Config   config.Config
}

func (*Attester) AttestBuild

func (a *Attester) AttestBuild(build *buildv1alpha2.Build, buildMetadata *cnb.BuildMetadata, pod *corev1.Pod, builderAndAppKeychain authn.Keychain, builderId BuilderID, depFns ...BuilderDependencyFn) (intoto.Statement, error)

func (*Attester) Sign

func (*Attester) Sign(ctx context.Context, stmt intoto.Statement, signers ...Signer) ([]byte, error)

func (*Attester) Write

func (*Attester) Write(ctx context.Context, digestStr string, payload []byte, keychain authn.Keychain) (ggcrv1.Image, string, error)

type BuilderDependencyFn

type BuilderDependencyFn func() (slsav1.ResourceDescriptor, error)

func WithVersionedObject

func WithVersionedObject(kind string, obj K8sObject) BuilderDependencyFn

WithVersionedObject converts a kubernetes object to a SLSA ResourceDescriptor, where the name is the Kind, and the content is the json serialzed Name and ResourceVersion of the object.

func WithVersionedObjects

func WithVersionedObjects(kind string, objs []K8sObject) BuilderDependencyFn

WithVersionedObjects is the same as WithVersionedObject but handles a slice of objects. These objects must have the same GVK

type BuilderID

type BuilderID string

const (
	SignedBuildID   BuilderID = "https://kpack.io/slsa/signed-build"
	UnsignedBuildID BuilderID = "https://kpack.io/slsa/unsigned-build"
	MediaTypeJSON             = "application/json"
)

type ImageFetcher

type ImageFetcher interface {
	Fetch(keychain authn.Keychain, repoName string) (ggcrv1.Image, string, error)
}

type ImageReader

type ImageReader interface {
	Read(keychain authn.Keychain, repoName string) (string, string, map[string]string, error)
}

type K8sObject

type K8sObject interface {
	GetName() string
	GetResourceVersion() string
}

type LifecycleProvider

type LifecycleProvider interface {
	Metadata() (cnb.LifecycleMetadata, error)
}

type Signer

type Signer = dsse.Signer

func NewPKCS8Signer

func NewPKCS8Signer(key []byte, id string) (Signer, error)

NewPKCS8Signer can parse either a RSA, ECDSA, or ED25519 private key in PEM format and convert it into a dsse signer. It currently doesn't support encrypted keys.

For RSA, this uses RSASSA-PKCS1-V1_5-SIGN with SHA256 as the hash function For ECDSA, this uses rand.Reader as the source for k