cosign

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 28, 2021 License: Apache-2.0 Imports: 42 Imported by: 56

Documentation

Index

Constants

View Source 
const (
	SignatureTagSuffix   = ".sig"
	SBOMTagSuffix        = ".sbom"
	AttestationTagSuffix = ".att"
)
View Source 
const (
	PrivakeKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"

	BundleKey = "dev.sigstore.cosign/bundle"
)

Variables

This section is empty.

Functions

func AttachedImageTag added in v0.6.0 

func AttachedImageTag(repo name.Repository, digest v1.Hash, tagSuffix string) name.Tag

func FindTlogEntry 

func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)

func GeneratePrivateKey 

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func IntotoSubjectClaimVerifier added in v1.0.0 

func IntotoSubjectClaimVerifier(sp SignedPayload, imageDigest v1.Hash, _ map[string]interface{}) error

IntotoSubjectClaimVerifier verifies that SignedPayload.Payload is an Intoto statement which references the given image digest.

func PemToECDSAKey added in v0.4.0 

func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)

func SimpleClaimVerifier added in v1.0.0 

func SimpleClaimVerifier(sp SignedPayload, imageDigest v1.Hash, annotations map[string]interface{}) error

SimpleClaimVerifier verifies that SignedPayload.Payload is a SimpleContainerImage payload which references the given image digest and contains the given annotations.

func TLogUpload added in v1.0.1 

func TLogUpload(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUpload will upload the signature, public key and payload to the transparency log.

func TLogUploadInTotoAttestation added in v1.0.1 

func TLogUploadInTotoAttestation(rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.

func TrustedCert 

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func VerifySET added in v0.6.0 

func VerifySET(bundlePayload cremote.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error

Types

type CheckOpts 

type CheckOpts struct {
	// SignatureRepo, if set, designates the repository where image signatures are stored.
	// Otherwise, it is assumed that signatures reside in the same repo as the image itself.
	SignatureRepo name.Repository
	// SigTagSuffixOverride overrides the suffix of the derived signature image tag. Default: ".sig"
	SigTagSuffixOverride string
	// RegistryClientOpts are the options for interacting with the container registry.
	RegistryClientOpts []remote.Option

	// Annotations optionally specifies image signature annotations to verify.
	Annotations map[string]interface{}
	// ClaimVerifier, if provided, verifies claims present in the SignedPayload.
	ClaimVerifier func(sigPayload SignedPayload, imageDigest v1.Hash, annotations map[string]interface{}) error
	VerifyBundle  bool //TODO: remove in favor of SignedPayload.BundleVerified

	// RekorURL is the URL for the rekor server to use to verify signatures and public keys.
	RekorURL string

	// SigVerifier is used to verify signatures.
	SigVerifier signature.Verifier
	// VerifyOpts are the options provided to `SigVerifier.VerifySignature()`.
	VerifyOpts []signature.VerifyOption
	// PKOpts are the options provided to `SigVerifier.PublicKey()`.
	PKOpts []signature.PublicKeyOption

	// RootCerts are the root CA certs used to verify a signature's chained certificate.
	RootCerts *x509.CertPool
}

CheckOpts are the options for checking signatures.

type Keys 

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

func GenerateKeyPair 

func GenerateKeyPair(pf PassFunc) (*Keys, error)

func (*Keys) Password added in v0.5.0 

func (k *Keys) Password() []byte

type PassFunc 

type PassFunc func(bool) ([]byte, error)

type SignedPayload 

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *cremote.Bundle
	// contains filtered or unexported fields
}

func FetchSignaturesForImage added in v0.6.0 

func FetchSignaturesForImage(ctx context.Context, signedImgRef name.Reference, sigRepo name.Repository, sigTagSuffix string, registryOpts ...remote.Option) ([]SignedPayload, error)

func FetchSignaturesForImageDigest added in v1.0.0 

func FetchSignaturesForImageDigest(ctx context.Context, signedImageDigest v1.Hash, sigRepo name.Repository, sigTagSuffix string, registryOpts ...remote.Option) ([]SignedPayload, error)

func Verify 

func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) ([]SignedPayload, error)

Verify does all the main cosign checks in a loop, returning validated payloads. If there were no payloads, we return an error.

func (*SignedPayload) BundleVerified added in v1.0.1 

func (sp *SignedPayload) BundleVerified() bool

func (*SignedPayload) TrustedCert 

func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error

func (*SignedPayload) VerifyBundle added in v0.4.0 

func (sp *SignedPayload) VerifyBundle() (bool, error)

func (*SignedPayload) VerifyClaims 

func (sp *SignedPayload) VerifyClaims(digest v1.Hash, ss *payload.SimpleContainerImage) error

func (*SignedPayload) VerifySignature added in v0.6.0 

func (sp *SignedPayload) VerifySignature(verifier signature.Verifier, verifyOpts ...signature.VerifyOption) error

func (*SignedPayload) VerifyTlog 

func (sp *SignedPayload) VerifyTlog(rc *client.Rekor, publicKeyPem []byte) (uuid string, index int64, err error)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.