signature

package

v0.12.0 Latest Latest Go to latest Published: Jan 3, 2025 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sigstore/gitsign

Links

Open Source Insights

Documentation ¶

Overview ¶

Package signature handles the nitty-gritty of formatting and writing out signatures. Functions here should not require any network/Sigstore access.

Index ¶

type Identity
type SignOptions
type SignResponse
- func Sign(ctx context.Context, ident Identity, body []byte, opts SignOptions) (*SignResponse, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Identity ¶

type Identity interface {
	// Certificate gets the identity's certificate.
	Certificate() (*x509.Certificate, error)
	// CertificateChain attempts to get the identity's full certificate chain.
	CertificateChain() ([]*x509.Certificate, error)
	// Signer gets a crypto.Signer that uses the identity's private key.
	Signer() (crypto.Signer, error)
	// Delete deletes this identity from the system.
	Delete() error
	// Close any manually managed memory held by the Identity.
	Close()
}

Identity is a copy of smimesign.Identity to allow for compatibility without needing a dependency on the whole package. This can be removed once https://github.com/github/smimesign/pull/108 is merged.

type SignOptions ¶

type SignOptions struct {
	// Make a detached signature
	Detached bool
	// URL of RFC3161 timestamp authority to use for timestamping
	TimestampAuthority string
	// Create ascii armored output
	Armor bool
	// IncludeCerts specifies what certs to include in the resulting signature.
	// -3 is the same as -2, but omits issuer when cert has Authority Information Access extension.
	// -2 includes all certs except root.
	// -1 includes all certs.
	// 0 includes no certs.
	// 1 includes leaf cert.
	// >1 includes n from the leaf.
	IncludeCerts int

	// UserName specifies the email to match against. If present, signing
	// will fail if the Fulcio identity SAN URI does not match the git committer name.
	UserName string

	// UserEmail specifies the email to match against. If present, signing
	// will fail if the Fulcio identity SAN email does not match the git committer email.
	UserEmail string

	// Rekor client - if specified, Rekor details are embedded directly in the
	// signature output.
	Rekor rekor.Writer
}

type SignResponse ¶ added in v0.7.0

type SignResponse struct {
	Signature []byte
	Cert      *x509.Certificate
	// LogEntry is the Rekor tlog entry from the signing operation.
	// This is only populated if offline signing mode was used (e.g. SignOpts.Rekor was passed in)
	LogEntry *models.LogEntryAnon
}

SignResponse is the response from Sign containing the signature and other related metadata.

func Sign ¶

func Sign(ctx context.Context, ident Identity, body []byte, opts SignOptions) (*SignResponse, error)

Sign signs a given payload for the given identity. The resulting signature and cert used is returned.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL