cosign

package
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 14, 2021 License: Apache-2.0 Imports: 45 Imported by: 56

Documentation

Index

Constants

View Source
const (
	SignatureTagSuffix   = ".sig"
	SBOMTagSuffix        = ".sbom"
	AttestationTagSuffix = ".att"
)
View Source
const (
	Signature   = "signature"
	SBOM        = "sbom"
	Attestation = "attestation"
)
View Source
const (
	PrivakeKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"

	BundleKey = "dev.sigstore.cosign/bundle"
)

Variables

This section is empty.

Functions

func AttachedImageTag added in v0.6.0

func AttachedImageTag(repo name.Repository, digest v1.Hash, tagSuffix string) name.Tag

func FindTlogEntry

func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)

func GeneratePrivateKey

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func GetRekorPub added in v1.1.0

func GetRekorPub() string

func IntotoSubjectClaimVerifier added in v1.0.0

func IntotoSubjectClaimVerifier(sp SignedPayload, imageDigest v1.Hash, _ map[string]interface{}) error

IntotoSubjectClaimVerifier verifies that SignedPayload.Payload is an Intoto statement which references the given image digest.

func LoadECDSAPrivateKey added in v0.3.0

func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)

func PemToECDSAKey added in v0.4.0

func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)

func SimpleClaimVerifier added in v1.0.0

func SimpleClaimVerifier(sp SignedPayload, imageDigest v1.Hash, annotations map[string]interface{}) error

SimpleClaimVerifier verifies that SignedPayload.Payload is a SimpleContainerImage payload which references the given image digest and contains the given annotations.

func TLogUpload added in v1.0.1

func TLogUpload(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUpload will upload the signature, public key and payload to the transparency log.

func TLogUploadInTotoAttestation added in v1.0.1

func TLogUploadInTotoAttestation(rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.

func TrustedCert

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func VerifySET added in v0.6.0

func VerifySET(bundlePayload cremote.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error

Types

type CheckOpts

type CheckOpts struct {
	// SignatureRepo, if set, designates the repository where image signatures are stored.
	// Otherwise, it is assumed that signatures reside in the same repo as the image itself.
	SignatureRepo name.Repository
	// SigTagSuffixOverride overrides the suffix of the derived signature image tag. Default: ".sig"
	SigTagSuffixOverride string
	// RegistryClientOpts are the options for interacting with the container registry.
	RegistryClientOpts []remote.Option

	// Annotations optionally specifies image signature annotations to verify.
	Annotations map[string]interface{}
	// ClaimVerifier, if provided, verifies claims present in the SignedPayload.
	ClaimVerifier func(sigPayload SignedPayload, imageDigest v1.Hash, annotations map[string]interface{}) error
	VerifyBundle  bool //TODO: remove in favor of SignedPayload.BundleVerified

	// RekorURL is the URL for the rekor server to use to verify signatures and public keys.
	RekorURL string

	// SigVerifier is used to verify signatures.
	SigVerifier signature.Verifier
	// VerifyOpts are the options provided to `SigVerifier.VerifySignature()`.
	VerifyOpts []signature.VerifyOption
	// PKOpts are the options provided to `SigVerifier.PublicKey()`.
	PKOpts []signature.PublicKeyOption

	// RootCerts are the root CA certs used to verify a signature's chained certificate.
	RootCerts *x509.CertPool
	// CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertEmail string
}

CheckOpts are the options for checking signatures.

type Keys

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

func GenerateKeyPair

func GenerateKeyPair(pf PassFunc) (*Keys, error)

func (*Keys) Password added in v0.5.0

func (k *Keys) Password() []byte

type PassFunc

type PassFunc func(bool) ([]byte, error)

type SignedPayload

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *cremote.Bundle
	// contains filtered or unexported fields
}

func FetchSignaturesForImage added in v0.6.0

func FetchSignaturesForImage(ctx context.Context, signedImgRef name.Reference, sigRepo name.Repository, sigTagSuffix string, registryOpts ...remote.Option) ([]SignedPayload, error)

func FetchSignaturesForImageDigest added in v1.0.0

func FetchSignaturesForImageDigest(ctx context.Context, signedImageDigest v1.Hash, sigRepo name.Repository, sigTagSuffix string, registryOpts ...remote.Option) ([]SignedPayload, error)

func Verify

func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) ([]SignedPayload, error)

Verify does all the main cosign checks in a loop, returning validated payloads. If there were no payloads, we return an error.

func (*SignedPayload) BundleVerified added in v1.0.1

func (sp *SignedPayload) BundleVerified() bool

func (*SignedPayload) TrustedCert

func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error

func (*SignedPayload) VerifyBundle added in v0.4.0

func (sp *SignedPayload) VerifyBundle() (bool, error)

func (*SignedPayload) VerifyClaims

func (sp *SignedPayload) VerifyClaims(digest v1.Hash, ss *payload.SimpleContainerImage) error

func (*SignedPayload) VerifySignature added in v0.6.0

func (sp *SignedPayload) VerifySignature(verifier signature.Verifier, verifyOpts ...signature.VerifyOption) error

func (*SignedPayload) VerifyTlog

func (sp *SignedPayload) VerifyTlog(rc *client.Rekor, publicKeyPem []byte) (uuid string, index int64, err error)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL