cosign

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 5, 2021 License: Apache-2.0 Imports: 48 Imported by: 56

Documentation

Index

Constants

View Source
const (
	PemType = "ENCRYPTED COSIGN PRIVATE KEY"

	BundleKey = "dev.sigstore.cosign/bundle"
)
View Source
const (
	ExperimentalEnv = "COSIGN_EXPERIMENTAL"

	DockerMediaTypesEnv = "COSIGN_DOCKER_MEDIA_TYPES"
	ServerEnv           = "REKOR_SERVER"
)
View Source
const SimpleSigningMediaType = "application/vnd.dev.cosign.simplesigning.v1+json"

Variables

This section is empty.

Functions

func CertToPem added in v0.2.0

func CertToPem(c *x509.Certificate) []byte

func Descriptors

func Descriptors(ref name.Reference) ([]v1.Descriptor, error)

func DestinationRef added in v0.3.0

func DestinationRef(ref name.Reference, img *remote.Descriptor) (name.Reference, error)

func DockerMediaTypes added in v0.4.0

func DockerMediaTypes() bool

func Experimental

func Experimental() bool

func FindTlogEntry

func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)

func GeneratePrivateKey

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func KeyToPem added in v0.2.0

func KeyToPem(pub crypto.PublicKey) ([]byte, error)

func LoadCerts

func LoadCerts(pemStr string) ([]*x509.Certificate, error)

func LoadECDSAPrivateKey added in v0.3.0

func LoadECDSAPrivateKey(key []byte, pass []byte) (signature.ECDSASignerVerifier, error)

func Munge

func Munge(desc v1.Descriptor) string

func PemToECDSAKey added in v0.4.0

func PemToECDSAKey(raw []byte) (*ecdsa.PublicKey, error)

func PublicKeyPem added in v0.3.0

func PublicKeyPem(ctx context.Context, key signature.PublicKeyProvider) ([]byte, error)

func SignatureImage added in v0.4.0

func SignatureImage(dstTag name.Reference, opts ...remote.Option) (v1.Image, error)

SignatureImage returns the existing destination image, or a new, empty one.

func TlogServer

func TlogServer() string

tlogServer returns the name of the tlog server, can be overwritten via env var

func TrustedCert

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func Upload

func Upload(ctx context.Context, signature, payload []byte, dst name.Reference, opts UploadOpts) (uploadedSig []byte, err error)

func UploadTLog

func UploadTLog(signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)

Upload will upload the signature, public key and payload to the tlog

func VerifyTLogEntry added in v0.4.0

func VerifyTLogEntry(rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)

Types

type Bundle added in v0.4.0

type Bundle struct {
	SignedEntryTimestamp strfmt.Base64
	Body                 interface{}
	IntegratedTime       int64
	LogIndex             *int64
}

type CheckOpts

type CheckOpts struct {
	Annotations  map[string]interface{}
	Claims       bool
	VerifyBundle bool
	Tlog         bool
	PubKey       PublicKey
	Roots        *x509.CertPool
}

There are only payloads. Some have certs, some don't.

type Keys

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
}

func GenerateKeyPair

func GenerateKeyPair(pf PassFunc) (*Keys, error)

type PassFunc

type PassFunc func(bool) ([]byte, error)

type PublicKey added in v0.3.0

type PublicKey interface {
	signature.Verifier
	signature.PublicKeyProvider
}

func LoadPublicKey

func LoadPublicKey(ctx context.Context, keyRef string) (pub PublicKey, err error)

type SignedPayload

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *Bundle
}

func FetchSignatures

func FetchSignatures(ctx context.Context, ref name.Reference) ([]SignedPayload, *v1.Descriptor, error)

func Verify

func Verify(ctx context.Context, ref name.Reference, co *CheckOpts) ([]SignedPayload, error)

Verify does all the main cosign checks in a loop, returning validated payloads. If there were no payloads, we return an error.

func (*SignedPayload) TrustedCert

func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error

func (*SignedPayload) VerifyBundle added in v0.4.0

func (sp *SignedPayload) VerifyBundle() (bool, error)

func (*SignedPayload) VerifyClaims

func (sp *SignedPayload) VerifyClaims(d *v1.Descriptor, ss *payload.SimpleContainerImage) error

func (*SignedPayload) VerifyKey

func (sp *SignedPayload) VerifyKey(ctx context.Context, pubKey PublicKey) error

func (*SignedPayload) VerifyTlog

func (sp *SignedPayload) VerifyTlog(rc *client.Rekor, publicKeyPem []byte) (uuid string, index int64, err error)

type UploadOpts added in v0.4.0

type UploadOpts struct {
	Cert                  string
	Chain                 string
	DupeDetector          signature.Verifier
	Bundle                *Bundle
	AdditionalAnnotations map[string]string
	RemoteOpts            []remote.Option
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL