cosign

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 29, 2021 License: Apache-2.0 Imports: 43 Imported by: 56

Documentation

Index

Constants

View Source
const (
	ExperimentalEnv = "COSIGN_EXPERIMENTAL"

	ServerEnv = "REKOR_SERVER"
)

Variables

This section is empty.

Functions

func CertToPem added in v0.2.0

func CertToPem(c *x509.Certificate) []byte

func Descriptors

func Descriptors(ref name.Reference) ([]v1.Descriptor, error)

func DestinationTag added in v0.2.0

func DestinationTag(ref name.Reference, img *remote.Descriptor) (name.Tag, error)

func Experimental

func Experimental() bool

func FindTlogEntry

func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (string, error)

func GeneratePrivateKey

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func ImageSignature added in v0.2.0

func ImageSignature(ctx context.Context, signer Signer, img v1.Descriptor, payloadAnnotations map[string]string) (payload, signature []byte, err error)

func KeyToPem added in v0.2.0

func KeyToPem(pub *ecdsa.PublicKey) []byte

func LoadCerts

func LoadCerts(pemStr string) ([]*x509.Certificate, error)

func LoadPrivateKey

func LoadPrivateKey(key []byte, pass []byte) (*ecdsa.PrivateKey, error)

func LoadPublicKey

func LoadPublicKey(keyRef string) (*ecdsa.PublicKey, error)

func Munge

func Munge(desc v1.Descriptor) string

func PayloadSignature added in v0.2.0

func PayloadSignature(ctx context.Context, signer Signer, payload []byte) (signature []byte, err error)

func TlogServer

func TlogServer() string

tlogServer returns the name of the tlog server, can be overwritten via env var

func TrustedCert

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func Upload

func Upload(signature, payload []byte, dstTag name.Reference, cert, chain string) error

func UploadTLog

func UploadTLog(signature, payload []byte, pemBytes []byte) (string, error)

Upload will upload the signature, public key and payload to the tlog

func VerifySignature

func VerifySignature(pubkey *ecdsa.PublicKey, base64sig string, payload []byte) error

Types

type CheckOpts

type CheckOpts struct {
	Annotations map[string]string
	Claims      bool
	Tlog        bool
	PubKey      *ecdsa.PublicKey
	Roots       *x509.CertPool
}

There are only payloads. Some have certs, some don't.

type Critical

type Critical struct {
	Identity Identity
	Image    Image
	Type     string
}

type ECDSASigner added in v0.2.0

type ECDSASigner struct {
	Key *ecdsa.PrivateKey
}

func (*ECDSASigner) Sign added in v0.2.0

func (s *ECDSASigner) Sign(_ context.Context, payload []byte) (signature []byte, err error)

Sign returns an ASN.1-encoded signature of the SHA-256 hash of the given payload.

type ECDSAVerifier added in v0.2.0

type ECDSAVerifier struct {
	PubKey *ecdsa.PublicKey
}

func (*ECDSAVerifier) Verify added in v0.2.0

func (v *ECDSAVerifier) Verify(_ context.Context, payload, signature []byte) error

type Identity

type Identity struct {
	DockerReference string `json:"docker-reference"`
}

type Image

type Image struct {
	DockerManifestDigest string `json:"Docker-manifest-digest"`
}

type ImagePayload added in v0.2.0

type ImagePayload struct {
	Img         v1.Descriptor
	Annotations map[string]string
}

func (*ImagePayload) MarshalJSON added in v0.2.0

func (p *ImagePayload) MarshalJSON() ([]byte, error)

type Keys

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
}

func GenerateKeyPair

func GenerateKeyPair(pf PassFunc) (*Keys, error)

type PassFunc

type PassFunc func(bool) ([]byte, error)

type SignedPayload

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
}

func FetchSignatures

func FetchSignatures(ctx context.Context, ref name.Reference) ([]SignedPayload, *v1.Descriptor, error)

func Verify

func Verify(ctx context.Context, ref name.Reference, co CheckOpts) ([]SignedPayload, error)

Verify does all the main cosign checks in a loop, returning validated payloads. If there were no payloads, we return an error.

func (*SignedPayload) TrustedCert

func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error

func (*SignedPayload) VerifyClaims

func (sp *SignedPayload) VerifyClaims(d *v1.Descriptor, ss *SimpleSigning) error

func (*SignedPayload) VerifyKey

func (sp *SignedPayload) VerifyKey(pubKey *ecdsa.PublicKey) error

func (*SignedPayload) VerifyTlog

func (sp *SignedPayload) VerifyTlog(rc *client.Rekor, publicKeyPem []byte) (string, error)

type Signer added in v0.2.0

type Signer interface {
	Sign(ctx context.Context, payload []byte) (signature []byte, err error)
}

type SimpleSigning

type SimpleSigning struct {
	Critical Critical
	Optional map[string]string
}

type Verifier added in v0.2.0

type Verifier interface {
	Verify(ctx context.Context, payload, signature []byte) error
}

Directories

Path Synopsis
kms
gcp

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL