Documentation ¶
Index ¶
- Constants
- func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)
- func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
- func GetRekorPub() string
- func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error
- func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)
- func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)
- func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error
- func TLogUpload(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)
- func TLogUploadInTotoAttestation(rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
- func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error
- func Verify(ctx context.Context, signedImgRef name.Reference, accessor Accessor, ...) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
- func VerifyAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
- func VerifyBundle(sig oci.Signature) (bool, error)
- func VerifySET(bundlePayload oci.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error
- func VerifySignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
- type Accessor
- type CheckOpts
- type Keys
- type PassFunc
- type SignedPayload
Constants ¶
const ( SignatureTagSuffix = ".sig" SBOMTagSuffix = ".sbom" AttestationTagSuffix = ".att" )
const ( Signature = "signature" SBOM = "sbom" Attestation = "attestation" )
const ( PrivakeKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY" BundleKey = static.BundleAnnotationKey )
Variables ¶
This section is empty.
Functions ¶
func FindTlogEntry ¶
func GeneratePrivateKey ¶
func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
func GetRekorPub ¶ added in v1.1.0
func GetRekorPub() string
func IntotoSubjectClaimVerifier ¶ added in v1.0.0
func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error
IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.
func LoadECDSAPrivateKey ¶ added in v0.3.0
func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)
func SimpleClaimVerifier ¶ added in v1.0.0
func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error
SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.
func TLogUpload ¶ added in v1.0.1
func TLogUpload(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)
TLogUpload will upload the signature, public key and payload to the transparency log.
func TLogUploadInTotoAttestation ¶ added in v1.0.1
func TLogUploadInTotoAttestation(rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.
func TrustedCert ¶
func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error
func Verify ¶
func Verify(ctx context.Context, signedImgRef name.Reference, accessor Accessor, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
Verify does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.
func VerifyAttestations ¶ added in v1.3.0
func VerifyAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
VerifyAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.
func VerifySignatures ¶ added in v1.3.0
func VerifySignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
VerifySignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.
Types ¶
type Accessor ¶ added in v1.3.0
type Accessor func(oci.SignedEntity) (oci.Signatures, error)
Accessor is used by Verify to extract the signatures to be verified.
var ( AttestationsAccessor Accessor = func(se oci.SignedEntity) (oci.Signatures, error) { return se.Attestations() } SignaturesAccessor Accessor = func(se oci.SignedEntity) (oci.Signatures, error) { return se.Signatures() } )
type CheckOpts ¶
type CheckOpts struct { // RegistryClientOpts are the options for interacting with the container registry. RegistryClientOpts []ociremote.Option // Annotations optionally specifies image signature annotations to verify. Annotations map[string]interface{} // ClaimVerifier, if provided, verifies claims present in the oci.Signature. ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error // RekorURL is the URL for the rekor server to use to verify signatures and public keys. RekorURL string // SigVerifier is used to verify signatures. SigVerifier signature.Verifier // PKOpts are the options provided to `SigVerifier.PublicKey()`. PKOpts []signature.PublicKeyOption // RootCerts are the root CA certs used to verify a signature's chained certificate. RootCerts *x509.CertPool // CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid. CertEmail string }
CheckOpts are the options for checking signatures.
type Keys ¶
type Keys struct { PrivateBytes []byte PublicBytes []byte // contains filtered or unexported fields }
func GenerateKeyPair ¶
type SignedPayload ¶
type SignedPayload struct { Base64Signature string Payload []byte Cert *x509.Certificate Chain []*x509.Certificate Bundle *oci.Bundle }