cosign

package
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 6, 2021 License: Apache-2.0 Imports: 46 Imported by: 56

Documentation

Index

Constants

View Source
const (
	SignatureTagSuffix   = ".sig"
	SBOMTagSuffix        = ".sbom"
	AttestationTagSuffix = ".att"
)
View Source
const (
	Signature   = "signature"
	SBOM        = "sbom"
	Attestation = "attestation"
)
View Source
const (
	PrivakeKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"

	BundleKey = static.BundleAnnotationKey
)

Variables

This section is empty.

Functions

func FindTLogEntriesByPayload added in v1.3.1

func FindTLogEntriesByPayload(ctx context.Context, rekorClient *client.Rekor, payload []byte) (uuids []string, err error)

func FindTlogEntry

func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)

func GeneratePrivateKey

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func GetRekorPub added in v1.1.0

func GetRekorPub(ctx context.Context) string

func GetTlogEntry added in v1.3.1

func GetTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)

func IntotoSubjectClaimVerifier added in v1.0.0

func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error

IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.

func LoadECDSAPrivateKey added in v0.3.0

func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)

func PemToECDSAKey added in v0.4.0

func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)

func SimpleClaimVerifier added in v1.0.0

func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.

func TLogUpload added in v1.0.1

func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUpload will upload the signature, public key and payload to the transparency log.

func TLogUploadInTotoAttestation added in v1.0.1

func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.

func TrustedCert

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func VerifyBundle added in v1.3.0

func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error)

func VerifyImageAttestations added in v1.3.1

func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)

VerifyAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.

func VerifyImageSignatures added in v1.3.1

func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifySignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifySET added in v0.6.0

func VerifySET(bundlePayload oci.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error

Types

type CheckOpts

type CheckOpts struct {
	// RegistryClientOpts are the options for interacting with the container registry.
	RegistryClientOpts []ociremote.Option

	// Annotations optionally specifies image signature annotations to verify.
	Annotations map[string]interface{}
	// ClaimVerifier, if provided, verifies claims present in the oci.Signature.
	ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

	// RekorClient, if set, is used to use to verify signatures and public keys.
	RekorClient *client.Rekor

	// SigVerifier is used to verify signatures.
	SigVerifier signature.Verifier
	// PKOpts are the options provided to `SigVerifier.PublicKey()`.
	PKOpts []signature.PublicKeyOption

	// RootCerts are the root CA certs used to verify a signature's chained certificate.
	RootCerts *x509.CertPool
	// CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertEmail string

	// SignatureRef is the reference to the signature file
	SignatureRef string
}

CheckOpts are the options for checking signatures.

type Keys

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

func GenerateKeyPair

func GenerateKeyPair(pf PassFunc) (*Keys, error)

func (*Keys) Password added in v0.5.0

func (k *Keys) Password() []byte

type PassFunc

type PassFunc func(bool) ([]byte, error)

type SignedPayload

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *oci.Bundle
}

func FetchSignaturesForReference added in v1.2.1

func FetchSignaturesForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]SignedPayload, error)

Directories

Path Synopsis
git

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL