cosign

package
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 3, 2021 License: Apache-2.0 Imports: 45 Imported by: 56

Documentation

Index

Constants

View Source
const (
	SignatureTagSuffix   = ".sig"
	SBOMTagSuffix        = ".sbom"
	AttestationTagSuffix = ".att"
)
View Source
const (
	Signature   = "signature"
	SBOM        = "sbom"
	Attestation = "attestation"
)
View Source
const (
	PrivakeKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"

	BundleKey = static.BundleAnnotationKey
)

Variables

This section is empty.

Functions

func FindTlogEntry

func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)

func GeneratePrivateKey

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func GetRekorPub added in v1.1.0

func GetRekorPub() string

func IntotoSubjectClaimVerifier added in v1.0.0

func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error

IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.

func LoadECDSAPrivateKey added in v0.3.0

func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)

func PemToECDSAKey added in v0.4.0

func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)

func SimpleClaimVerifier added in v1.0.0

func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.

func TLogUpload added in v1.0.1

func TLogUpload(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUpload will upload the signature, public key and payload to the transparency log.

func TLogUploadInTotoAttestation added in v1.0.1

func TLogUploadInTotoAttestation(rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.

func TrustedCert

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func Verify

func Verify(ctx context.Context, signedImgRef name.Reference, accessor Accessor, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

Verify does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifyAttestations added in v1.3.0

func VerifyAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifyAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.

func VerifyBundle added in v1.3.0

func VerifyBundle(sig oci.Signature) (bool, error)

func VerifySET added in v0.6.0

func VerifySET(bundlePayload oci.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error

func VerifySignatures added in v1.3.0

func VerifySignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifySignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.

Types

type Accessor added in v1.3.0

type Accessor func(oci.SignedEntity) (oci.Signatures, error)

Accessor is used by Verify to extract the signatures to be verified.

var (
	AttestationsAccessor Accessor = func(se oci.SignedEntity) (oci.Signatures, error) { return se.Attestations() }
	SignaturesAccessor   Accessor = func(se oci.SignedEntity) (oci.Signatures, error) { return se.Signatures() }
)

type CheckOpts

type CheckOpts struct {
	// RegistryClientOpts are the options for interacting with the container registry.
	RegistryClientOpts []ociremote.Option

	// Annotations optionally specifies image signature annotations to verify.
	Annotations map[string]interface{}
	// ClaimVerifier, if provided, verifies claims present in the oci.Signature.
	ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

	// RekorURL is the URL for the rekor server to use to verify signatures and public keys.
	RekorURL string

	// SigVerifier is used to verify signatures.
	SigVerifier signature.Verifier
	// PKOpts are the options provided to `SigVerifier.PublicKey()`.
	PKOpts []signature.PublicKeyOption

	// RootCerts are the root CA certs used to verify a signature's chained certificate.
	RootCerts *x509.CertPool
	// CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertEmail string
}

CheckOpts are the options for checking signatures.

type Keys

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

func GenerateKeyPair

func GenerateKeyPair(pf PassFunc) (*Keys, error)

func (*Keys) Password added in v0.5.0

func (k *Keys) Password() []byte

type PassFunc

type PassFunc func(bool) ([]byte, error)

type SignedPayload

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *oci.Bundle
}

func FetchSignaturesForReference added in v1.2.1

func FetchSignaturesForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]SignedPayload, error)

Directories

Path Synopsis
git

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL