Documentation ¶
Index ¶
- Constants
- func CheckExpiry(cert *x509.Certificate, it time.Time) error
- func FileExists(filename string) bool
- func FindTLogEntriesByPayload(ctx context.Context, rekorClient *client.Rekor, payload []byte) (uuids []string, err error)
- func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor, b64Sig string, ...) (uuid string, index int64, err error)
- func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
- func GetPassFromTerm(confirm bool) ([]byte, error)
- func GetRekorPub(ctx context.Context) ([]byte, error)
- func GetTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)
- func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error
- func IsTerminal() bool
- func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error)
- func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)
- func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error
- func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature, payload []byte, ...) (*models.LogEntryAnon, error)
- func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
- func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error
- func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Verifier, error)
- func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error)
- func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
- func VerifyImageSignature(ctx context.Context, sig oci.Signature, h v1.Hash, co *CheckOpts) (bundleVerified bool, err error)
- func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
- func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
- func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
- func VerifySET(bundlePayload cbundle.RekorPayload, signature []byte, pub *ecdsa.PublicKey) error
- type AttestationPayload
- type CheckOpts
- type Keys
- type KeysBytes
- type LocalSignedPayload
- type PassFunc
- type Signatures
- type SignedPayload
Constants ¶
const ( SignatureTagSuffix = ".sig" SBOMTagSuffix = ".sbom" AttestationTagSuffix = ".att" )
const ( Signature = "signature" SBOM = "sbom" Attestation = "attestation" )
const ( CosignPrivateKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY" // PEM-encoded PKCS #1 RSA private key RSAPrivateKeyPemType = "RSA PRIVATE KEY" // PEM-encoded ECDSA private key ECPrivateKeyPemType = "EC PRIVATE KEY" // PEM-encoded PKCS #8 RSA, ECDSA or ED25519 private key PrivateKeyPemType = "PRIVATE KEY" BundleKey = static.BundleAnnotationKey )
Variables ¶
This section is empty.
Functions ¶
func CheckExpiry ¶ added in v1.5.0
func CheckExpiry(cert *x509.Certificate, it time.Time) error
CheckExpiry confirms the time provided is within the valid period of the cert
func FileExists ¶ added in v1.5.0
TODO need to centralize this logic
func FindTLogEntriesByPayload ¶ added in v1.3.1
func FindTlogEntry ¶
func GeneratePrivateKey ¶
func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
func GetPassFromTerm ¶ added in v1.5.0
func GetRekorPub ¶ added in v1.1.0
GetRekorPub retrieves the rekor public key from the embedded or cached TUF root. If expired, makes a network call to retrieve the updated target.
func GetTlogEntry ¶ added in v1.3.1
func IntotoSubjectClaimVerifier ¶ added in v1.0.0
func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error
IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.
func IsTerminal ¶ added in v1.5.0
func IsTerminal() bool
func LoadPrivateKey ¶
func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error)
func SimpleClaimVerifier ¶ added in v1.0.0
func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error
SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.
func TLogUpload ¶ added in v1.0.1
func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)
TLogUpload will upload the signature, public key and payload to the transparency log.
func TLogUploadInTotoAttestation ¶ added in v1.0.1
func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.
func TrustedCert ¶
func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error
func ValidateAndUnpackCert ¶ added in v1.5.0
ValidateAndUnpackCert creates a Verifier from a certificate. Veries that the certificate chains up to a trusted root. Optionally verifies the subject of the certificate.
func VerifyBundle ¶ added in v1.3.0
func VerifyImageAttestations ¶ added in v1.3.1
func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
VerifyAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.
func VerifyImageSignature ¶ added in v1.5.0
func VerifyImageSignature(ctx context.Context, sig oci.Signature, h v1.Hash, co *CheckOpts) (bundleVerified bool, err error)
VerifyImageSignature verifies a signature
func VerifyImageSignatures ¶ added in v1.3.1
func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
VerifyImageSignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.
func VerifyLocalImageAttestations ¶ added in v1.4.1
func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
VerifyLocalImageAttestations verifies attestations from a saved, local image, without any network calls, returning the verified attestations. If there were no valid signatures, we return an error.
func VerifyLocalImageSignatures ¶ added in v1.4.1
func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
VerifyLocalImageSignatures verifies signatures from a saved, local image, without any network calls, returning the verified signatures. If there were no valid signatures, we return an error.
Types ¶
type AttestationPayload ¶ added in v1.5.0
type AttestationPayload struct { PayloadType string `json:"payloadType"` PayLoad string `json:"payload"` Signatures []Signatures `json:"signatures"` }
func FetchAttestationsForReference ¶ added in v1.5.0
type CheckOpts ¶
type CheckOpts struct { // RegistryClientOpts are the options for interacting with the container registry. RegistryClientOpts []ociremote.Option // Annotations optionally specifies image signature annotations to verify. Annotations map[string]interface{} // ClaimVerifier, if provided, verifies claims present in the oci.Signature. ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error // RekorClient, if set, is used to use to verify signatures and public keys. RekorClient *client.Rekor // SigVerifier is used to verify signatures. SigVerifier signature.Verifier // PKOpts are the options provided to `SigVerifier.PublicKey()`. PKOpts []signature.PublicKeyOption // RootCerts are the root CA certs used to verify a signature's chained certificate. RootCerts *x509.CertPool // CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid. CertEmail string // CertOidcIssuer is the OIDC issuer expected for a certificate to be valid. The empty string means any certificate can be valid. CertOidcIssuer string // SignatureRef is the reference to the signature file SignatureRef string }
CheckOpts are the options for checking signatures.
type KeysBytes ¶ added in v1.5.0
type KeysBytes struct { PrivateBytes []byte PublicBytes []byte // contains filtered or unexported fields }
func GenerateKeyPair ¶
func ImportKeyPair ¶ added in v1.5.0
type LocalSignedPayload ¶ added in v1.5.0
type LocalSignedPayload struct { Base64Signature string `json:"base64Signature"` Cert string `json:"cert,omitempty"` Bundle *bundle.RekorBundle `json:"rekorBundle,omitempty"` Timestamp *tuf.Timestamp `json:"timestamp,omitempty"` }
func FetchLocalSignedPayloadFromPath ¶ added in v1.5.0
func FetchLocalSignedPayloadFromPath(path string) (*LocalSignedPayload, error)
FetchLocalSignedPayloadFromPath fetches a local signed payload from a path to a file
type Signatures ¶ added in v1.5.0
type SignedPayload ¶
type SignedPayload struct { Base64Signature string Payload []byte Cert *x509.Certificate Chain []*x509.Certificate Bundle *bundle.RekorBundle }