Affected by GO-2022-0326 and 4 other vulnerabilities

GO-2022-0326: Improper certificate validation in github.com/sigstore/cosign

GO-2022-0998: Improper blob verification in github.com/sigstore/cosign

GO-2023-2181: Denial of service attack from remote registry in github.com/sigstore/cosign

GO-2024-2718: Cosign malicious attachments can cause system-wide denial of service in github.com/sigstore/cosign

GO-2024-2719: Cosign malicious artifacts can cause machine-wide DoS in github.com/sigstore/cosign

The highest tagged major version is v2.

cosign

package

v0.1.0 Latest Latest Go to latest Published: Mar 20, 2021 License: Apache-2.0 Imports: 44 Imported by: 56

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sigstore/cosign

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func Descriptors(ref name.Reference) ([]v1.Descriptor, error)
func Experimental() bool
func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (string, error)
func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
func LoadCerts(pemStr string) ([]*x509.Certificate, error)
func LoadPrivateKey(key []byte, pass []byte) (*ecdsa.PrivateKey, error)
func LoadPublicKey(keyRef string) (*ecdsa.PublicKey, error)
func MarshalPublicKey(pub *ecdsa.PublicKey) ([]byte, error)
func Munge(desc v1.Descriptor) string
func Payload(img v1.Descriptor, a map[string]string) ([]byte, error)
func TlogServer() string
func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error
func Upload(signature, payload []byte, dstTag name.Reference, cert, chain string) error
func UploadTLog(signature, payload []byte, publicKey *ecdsa.PublicKey) (string, error)
func VerifySignature(pubkey *ecdsa.PublicKey, base64sig string, payload []byte) error
type CheckOpts
type Critical
type Identity
type Image
type Keys
- func GenerateKeyPair(pf PassFunc) (*Keys, error)
type PassFunc
type SignedPayload
- func FetchSignatures(ctx context.Context, ref name.Reference) ([]SignedPayload, *v1.Descriptor, error)
- func Verify(ctx context.Context, ref name.Reference, co CheckOpts) ([]SignedPayload, error)
- func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error
- func (sp *SignedPayload) VerifyClaims(d *v1.Descriptor, ss *SimpleSigning) error
- func (sp *SignedPayload) VerifyKey(pubKey *ecdsa.PublicKey) error
- func (sp *SignedPayload) VerifyTlog(rc *client.Rekor, publicKeyPem []byte) (string, error)
type SimpleSigning

Constants ¶

View Source

const (
	ExperimentalEnv = "COSIGN_EXPERIMENTAL"
	ServerEnv       = "REKOR_SERVER"
)

Variables ¶

This section is empty.

Functions ¶

func Descriptors ¶

func Descriptors(ref name.Reference) ([]v1.Descriptor, error)

func Experimental ¶

func Experimental() bool

func FindTlogEntry ¶

func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (string, error)

func GeneratePrivateKey ¶

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func LoadCerts ¶

func LoadCerts(pemStr string) ([]*x509.Certificate, error)

func LoadPrivateKey ¶

func LoadPrivateKey(key []byte, pass []byte) (*ecdsa.PrivateKey, error)

func LoadPublicKey ¶

func LoadPublicKey(keyRef string) (*ecdsa.PublicKey, error)

func MarshalPublicKey ¶

func MarshalPublicKey(pub *ecdsa.PublicKey) ([]byte, error)

func Munge ¶

func Munge(desc v1.Descriptor) string

func Payload ¶

func Payload(img v1.Descriptor, a map[string]string) ([]byte, error)

func TlogServer ¶

func TlogServer() string

tlogServer returns the name of the tlog server, can be overwritten via env var

func TrustedCert ¶

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func Upload ¶

func Upload(signature, payload []byte, dstTag name.Reference, cert, chain string) error

func UploadTLog ¶

func UploadTLog(signature, payload []byte, publicKey *ecdsa.PublicKey) (string, error)

Upload will upload the signature, public key and payload to the tlog

func VerifySignature ¶

func VerifySignature(pubkey *ecdsa.PublicKey, base64sig string, payload []byte) error

Types ¶

type CheckOpts ¶

type CheckOpts struct {
	Annotations map[string]string
	Claims      bool
	Tlog        bool
	PubKey      *ecdsa.PublicKey
	Roots       *x509.CertPool
}

There are only payloads. Some have certs, some don't.

type Critical ¶

type Critical struct {
	Identity Identity
	Image    Image
	Type     string
}

type Identity ¶

type Identity struct {
	DockerReference string `json:"docker-reference"`
}

type Image ¶

type Image struct {
	DockerManifestDigest string `json:"Docker-manifest-digest"`
}

type Keys ¶

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
}

func GenerateKeyPair ¶

func GenerateKeyPair(pf PassFunc) (*Keys, error)

type PassFunc ¶

type PassFunc func(bool) ([]byte, error)

type SignedPayload ¶

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
}

func FetchSignatures ¶

func FetchSignatures(ctx context.Context, ref name.Reference) ([]SignedPayload, *v1.Descriptor, error)

func Verify ¶

func Verify(ctx context.Context, ref name.Reference, co CheckOpts) ([]SignedPayload, error)

Verify does all the main cosign checks in a loop, returning validated payloads. If there were no payloads, we return an error.

func (*SignedPayload) TrustedCert ¶

func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error

func (*SignedPayload) VerifyClaims ¶

func (sp *SignedPayload) VerifyClaims(d *v1.Descriptor, ss *SimpleSigning) error

func (*SignedPayload) VerifyKey ¶

func (sp *SignedPayload) VerifyKey(pubKey *ecdsa.PublicKey) error

func (*SignedPayload) VerifyTlog ¶

func (sp *SignedPayload) VerifyTlog(rc *client.Rekor, publicKeyPem []byte) (string, error)

type SimpleSigning ¶

type SimpleSigning struct {
	Critical Critical
	Optional map[string]string
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
fulcio
kms
gcp

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL