cosign

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 11, 2021 License: Apache-2.0 Imports: 46 Imported by: 56

Documentation

Index

Constants

View Source 
const (
	SignatureTagSuffix   = ".sig"
	SBOMTagSuffix        = ".sbom"
	AttestationTagSuffix = ".att"
)
View Source 
const (
	Signature   = "signature"
	SBOM        = "sbom"
	Attestation = "attestation"
)
View Source 
const (
	PrivakeKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"

	BundleKey = static.BundleAnnotationKey
)

Variables

This section is empty.

Functions

func FindTLogEntriesByPayload added in v1.3.1 

func FindTLogEntriesByPayload(rekorClient *client.Rekor, payload []byte) (uuids []string, err error)

func FindTlogEntry 

func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)

func GeneratePrivateKey 

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func GetRekorPub added in v1.1.0 

func GetRekorPub() string

func GetTlogEntry added in v1.3.1 

func GetTlogEntry(rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)

func IntotoSubjectClaimVerifier added in v1.0.0 

func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error

IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.

func LoadECDSAPrivateKey added in v0.3.0 

func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)

func PemToECDSAKey added in v0.4.0 

func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)

func SimpleClaimVerifier added in v1.0.0 

func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.

func TLogUpload added in v1.0.1 

func TLogUpload(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte, timeout time.Duration) (*models.LogEntryAnon, error)

TLogUpload will upload the signature, public key and payload to the transparency log.

func TLogUploadInTotoAttestation added in v1.0.1 

func TLogUploadInTotoAttestation(rekorClient *client.Rekor, signature, pemBytes []byte, timeout time.Duration) (*models.LogEntryAnon, error)

TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.

func TrustedCert 

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func VerifyBundle added in v1.3.0 

func VerifyBundle(sig oci.Signature) (bool, error)

func VerifyImageAttestations added in v1.3.1 

func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)

VerifyAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.

func VerifyImageSignatures added in v1.3.1 

func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifySignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifySET added in v0.6.0 

func VerifySET(bundlePayload oci.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error

Types

type CheckOpts 

type CheckOpts struct {
	// RegistryClientOpts are the options for interacting with the container registry.
	RegistryClientOpts []ociremote.Option

	// Annotations optionally specifies image signature annotations to verify.
	Annotations map[string]interface{}
	// ClaimVerifier, if provided, verifies claims present in the oci.Signature.
	ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

	// RekorURL is the URL for the rekor server to use to verify signatures and public keys.
	RekorURL string

	// SigVerifier is used to verify signatures.
	SigVerifier signature.Verifier
	// PKOpts are the options provided to `SigVerifier.PublicKey()`.
	PKOpts []signature.PublicKeyOption

	// RootCerts are the root CA certs used to verify a signature's chained certificate.
	RootCerts *x509.CertPool
	// CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertEmail string
}

CheckOpts are the options for checking signatures.

type Keys 

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

func GenerateKeyPair 

func GenerateKeyPair(pf PassFunc) (*Keys, error)

func (*Keys) Password added in v0.5.0 

func (k *Keys) Password() []byte

type PassFunc 

type PassFunc func(bool) ([]byte, error)

type SignedPayload 

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *oci.Bundle
}

func FetchSignaturesForReference added in v1.2.1 

func FetchSignaturesForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]SignedPayload, error)

Source Files

View all Source files

Directories

Path Synopsis
git
github
gitlab
webhook

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.