cosign

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 12, 2021 License: Apache-2.0 Imports: 42 Imported by: 56

Documentation

Index

Constants

View Source
const (
	SuffixSignature = ".sig"
	SuffixSBOM      = ".sbom"
)
View Source
const (
	PemType = "ENCRYPTED COSIGN PRIVATE KEY"

	BundleKey = "dev.sigstore.cosign/bundle"
)

Variables

This section is empty.

Functions

func AttachedImageTag added in v0.6.0

func AttachedImageTag(repo name.Repository, imgDesc *remote.Descriptor, suffix string) name.Tag

func CertToPem added in v0.2.0

func CertToPem(c *x509.Certificate) []byte

func FindTlogEntry

func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)

func GeneratePrivateKey

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func GetAttachedManifestForImage added in v0.6.0

func GetAttachedManifestForImage(imgDesc *remote.Descriptor, repo name.Repository, suffix string, opts ...remote.Option) (*remote.Descriptor, error)

func KeyToPem added in v0.2.0

func KeyToPem(pub crypto.PublicKey) ([]byte, error)

func LoadCerts

func LoadCerts(pemStr string) ([]*x509.Certificate, error)

func LoadECDSAPrivateKey added in v0.3.0

func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)

func LoadPublicKey

func LoadPublicKey(ctx context.Context, keyRef string) (verifier signature.Verifier, err error)

func PemToECDSAKey added in v0.4.0

func PemToECDSAKey(raw []byte) (*ecdsa.PublicKey, error)

func PublicKeyPem added in v0.3.0

func PublicKeyPem(key signature.PublicKeyProvider, pkOpts ...signature.PublicKeyOption) ([]byte, error)

func TrustedCert

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func UploadTLog

func UploadTLog(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)

Upload will upload the signature, public key and payload to the tlog

func VerifySET added in v0.6.0

func VerifySET(bundlePayload cremote.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error

func VerifyTLogEntry added in v0.4.0

func VerifyTLogEntry(rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)

Types

type CheckOpts

type CheckOpts struct {
	SignatureRepo      name.Repository
	RegistryClientOpts []remote.Option

	Annotations  map[string]interface{}
	Claims       bool
	VerifyBundle bool

	RekorURL string

	SigVerifier signature.Verifier
	VerifyOpts  []signature.VerifyOption
	PKOpts      []signature.PublicKeyOption

	RootCerts *x509.CertPool
}

CheckOpts are the options for checking

type Keys

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

func GenerateKeyPair

func GenerateKeyPair(pf PassFunc) (*Keys, error)

func (*Keys) Password added in v0.5.0

func (k *Keys) Password() []byte

type PassFunc

type PassFunc func(bool) ([]byte, error)

type SignedPayload

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *cremote.Bundle
}

func FetchSignaturesForDescriptor added in v0.6.0

func FetchSignaturesForDescriptor(ctx context.Context, signedDescriptor *remote.Descriptor, sigRepo name.Repository, opts ...remote.Option) ([]SignedPayload, error)

func FetchSignaturesForImage added in v0.6.0

func FetchSignaturesForImage(ctx context.Context, signedImgRef name.Reference, sigRepo name.Repository, opts ...remote.Option) ([]SignedPayload, error)

func Verify

func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) ([]SignedPayload, error)

Verify does all the main cosign checks in a loop, returning validated payloads. If there were no payloads, we return an error.

func (*SignedPayload) TrustedCert

func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error

func (*SignedPayload) VerifyBundle added in v0.4.0

func (sp *SignedPayload) VerifyBundle() (bool, error)

func (*SignedPayload) VerifyClaims

func (sp *SignedPayload) VerifyClaims(d *v1.Descriptor, ss *payload.SimpleContainerImage) error

func (*SignedPayload) VerifySignature added in v0.6.0

func (sp *SignedPayload) VerifySignature(verifier signature.Verifier, verifyOpts ...signature.VerifyOption) error

func (*SignedPayload) VerifyTlog

func (sp *SignedPayload) VerifyTlog(rc *client.Rekor, publicKeyPem []byte) (uuid string, index int64, err error)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL