Documentation ¶
Index ¶
- Constants
- func AttachedImageTag(repo name.Repository, imgDesc *remote.Descriptor, suffix string) name.Tag
- func CertToPem(c *x509.Certificate) []byte
- func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)
- func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
- func GetAttachedManifestForImage(imgDesc *remote.Descriptor, repo name.Repository, suffix string, ...) (*remote.Descriptor, error)
- func KeyToPem(pub crypto.PublicKey) ([]byte, error)
- func LoadCerts(pemStr string) ([]*x509.Certificate, error)
- func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)
- func LoadPublicKey(ctx context.Context, keyRef string) (verifier signature.Verifier, err error)
- func PemToECDSAKey(raw []byte) (*ecdsa.PublicKey, error)
- func PublicKeyPem(key signature.PublicKeyProvider, pkOpts ...signature.PublicKeyOption) ([]byte, error)
- func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error
- func UploadTLog(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)
- func VerifySET(bundlePayload cremote.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error
- func VerifyTLogEntry(rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)
- type CheckOpts
- type Keys
- type PassFunc
- type SignedPayload
- func FetchSignaturesForDescriptor(ctx context.Context, signedDescriptor *remote.Descriptor, ...) ([]SignedPayload, error)
- func FetchSignaturesForImage(ctx context.Context, signedImgRef name.Reference, sigRepo name.Repository, ...) ([]SignedPayload, error)
- func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) ([]SignedPayload, error)
- func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error
- func (sp *SignedPayload) VerifyBundle() (bool, error)
- func (sp *SignedPayload) VerifyClaims(d *v1.Descriptor, ss *payload.SimpleContainerImage) error
- func (sp *SignedPayload) VerifySignature(verifier signature.Verifier, verifyOpts ...signature.VerifyOption) error
- func (sp *SignedPayload) VerifyTlog(rc *client.Rekor, publicKeyPem []byte) (uuid string, index int64, err error)
Constants ¶
View Source
const ( SuffixSignature = ".sig" SuffixSBOM = ".sbom" )
View Source
const ( PemType = "ENCRYPTED COSIGN PRIVATE KEY" BundleKey = "dev.sigstore.cosign/bundle" )
Variables ¶
This section is empty.
Functions ¶
func AttachedImageTag ¶ added in v0.6.0
func AttachedImageTag(repo name.Repository, imgDesc *remote.Descriptor, suffix string) name.Tag
func CertToPem ¶ added in v0.2.0
func CertToPem(c *x509.Certificate) []byte
func FindTlogEntry ¶
func GeneratePrivateKey ¶
func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
func GetAttachedManifestForImage ¶ added in v0.6.0
func GetAttachedManifestForImage(imgDesc *remote.Descriptor, repo name.Repository, suffix string, opts ...remote.Option) (*remote.Descriptor, error)
func LoadECDSAPrivateKey ¶ added in v0.3.0
func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)
func LoadPublicKey ¶
func PublicKeyPem ¶ added in v0.3.0
func PublicKeyPem(key signature.PublicKeyProvider, pkOpts ...signature.PublicKeyOption) ([]byte, error)
func TrustedCert ¶
func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error
func UploadTLog ¶
func UploadTLog(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)
Upload will upload the signature, public key and payload to the tlog
func VerifyTLogEntry ¶ added in v0.4.0
Types ¶
type CheckOpts ¶
type CheckOpts struct { SignatureRepo name.Repository RegistryClientOpts []remote.Option Annotations map[string]interface{} Claims bool VerifyBundle bool RekorURL string SigVerifier signature.Verifier VerifyOpts []signature.VerifyOption PKOpts []signature.PublicKeyOption RootCerts *x509.CertPool }
CheckOpts are the options for checking
type Keys ¶
type Keys struct { PrivateBytes []byte PublicBytes []byte // contains filtered or unexported fields }
func GenerateKeyPair ¶
type SignedPayload ¶
type SignedPayload struct { Base64Signature string Payload []byte Cert *x509.Certificate Chain []*x509.Certificate Bundle *cremote.Bundle }
func FetchSignaturesForDescriptor ¶ added in v0.6.0
func FetchSignaturesForDescriptor(ctx context.Context, signedDescriptor *remote.Descriptor, sigRepo name.Repository, opts ...remote.Option) ([]SignedPayload, error)
func FetchSignaturesForImage ¶ added in v0.6.0
func FetchSignaturesForImage(ctx context.Context, signedImgRef name.Reference, sigRepo name.Repository, opts ...remote.Option) ([]SignedPayload, error)
func Verify ¶
func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) ([]SignedPayload, error)
Verify does all the main cosign checks in a loop, returning validated payloads. If there were no payloads, we return an error.
func (*SignedPayload) TrustedCert ¶
func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error
func (*SignedPayload) VerifyBundle ¶ added in v0.4.0
func (sp *SignedPayload) VerifyBundle() (bool, error)
func (*SignedPayload) VerifyClaims ¶
func (sp *SignedPayload) VerifyClaims(d *v1.Descriptor, ss *payload.SimpleContainerImage) error
func (*SignedPayload) VerifySignature ¶ added in v0.6.0
func (sp *SignedPayload) VerifySignature(verifier signature.Verifier, verifyOpts ...signature.VerifyOption) error
func (*SignedPayload) VerifyTlog ¶
Click to show internal directories.
Click to hide internal directories.