Documentation
¶
Index ¶
- Constants
- Variables
- type DigestSet
- type GCBVerifier
- func (v *GCBVerifier) IsAuthoritativeFor(builderIDName string) bool
- func (v *GCBVerifier) VerifyArtifact(ctx context.Context, provenance []byte, artifactHash string, ...) ([]byte, *utils.TrustedBuilderID, error)
- func (v *GCBVerifier) VerifyImage(ctx context.Context, provenance []byte, artifactImage string, ...) ([]byte, *utils.TrustedBuilderID, error)
- func (v *GCBVerifier) VerifyNpmPackage(ctx context.Context, attestations []byte, tarballHash string, ...) ([]byte, *utils.TrustedBuilderID, error)
- type Provenance
- func (p *Provenance) GetVerifiedIntotoStatement() ([]byte, error)
- func (p *Provenance) VerifyBranch(branch string) error
- func (p *Provenance) VerifyBuilder(builderOpts *options.BuilderOpts) (*utils.TrustedBuilderID, error)
- func (p *Provenance) VerifyIntotoHeaders() error
- func (p *Provenance) VerifyMetadata(provenanceOpts *options.ProvenanceOpts) error
- func (p *Provenance) VerifySignature() error
- func (p *Provenance) VerifySourceURI(expectedSourceURI string, builderID utils.TrustedBuilderID) error
- func (p *Provenance) VerifySubjectDigest(expectedHash string) error
- func (p *Provenance) VerifySummary(provenanceOpts *options.ProvenanceOpts) error
- func (p *Provenance) VerifyTag(expectedTag string) error
- func (p *Provenance) VerifyTextProvenance() error
- func (p *Provenance) VerifyVersionedTag(expectedTag string) error
- type ProvenanceBuilder
- type ProvenanceComplete
- type ProvenanceMaterial
- type ProvenanceMetadata
- type ProvenancePredicate
- type ProvenanceRecipe
Constants ¶
const (
// PredicateSLSAProvenance represents a build provenance for an artifact.
PredicateSLSAProvenance = "https://slsa.dev/provenance/v0.1"
)
const VerifierName = "GCB"
Variables ¶
var GCBBuilderIDs = []string{
"https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.2",
"https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3",
}
Functions ¶
This section is empty.
Types ¶
type DigestSet ¶
DigestSet contains a set of digests. It is represented as a map from algorithm name to lowercase hex-encoded value.
type GCBVerifier ¶
type GCBVerifier struct{}
func GCBVerifierNew ¶
func GCBVerifierNew() *GCBVerifier
func (*GCBVerifier) IsAuthoritativeFor ¶
func (v *GCBVerifier) IsAuthoritativeFor(builderIDName string) bool
IsAuthoritativeFor returns true of the verifier can verify provenance generated by the builderID.
func (*GCBVerifier) VerifyArtifact ¶
func (v *GCBVerifier) VerifyArtifact(ctx context.Context, provenance []byte, artifactHash string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error)
VerifyArtifact verifies provenance for an artifact.
func (*GCBVerifier) VerifyImage ¶
func (v *GCBVerifier) VerifyImage(ctx context.Context, provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error)
VerifyImage verifies provenance for an OCI image.
func (*GCBVerifier) VerifyNpmPackage ¶ added in v2.1.0
func (v *GCBVerifier) VerifyNpmPackage(ctx context.Context, attestations []byte, tarballHash string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error)
VerifyNpmPackage verifies an npm package tarball.
type Provenance ¶
type Provenance struct {
// contains filtered or unexported fields
}
func ProvenanceFromBytes ¶
func ProvenanceFromBytes(payload []byte) (*Provenance, error)
func (*Provenance) GetVerifiedIntotoStatement ¶
func (p *Provenance) GetVerifiedIntotoStatement() ([]byte, error)
func (*Provenance) VerifyBranch ¶
func (p *Provenance) VerifyBranch(branch string) error
func (*Provenance) VerifyBuilder ¶
func (p *Provenance) VerifyBuilder(builderOpts *options.BuilderOpts) (*utils.TrustedBuilderID, error)
VerifyBuilder verifies the builder in the DSSE payload: - in the recipe type - the recipe argument type - the predicate builder ID.
func (*Provenance) VerifyIntotoHeaders ¶
func (p *Provenance) VerifyIntotoHeaders() error
VerifyIntotoHeaders verifies the headers are intoto format and the expected slsa predicate.
func (*Provenance) VerifyMetadata ¶
func (p *Provenance) VerifyMetadata(provenanceOpts *options.ProvenanceOpts) error
VerifyMetadata verifies additional metadata contained in the provenance, which is not part of the DSSE payload or headers. It is part of the payload returned by `gcloud artifacts docker images describe image:tag --format json --show-provenance`.
func (*Provenance) VerifySignature ¶
func (p *Provenance) VerifySignature() error
VerifySignature verifiers the signature for a provenance.
func (*Provenance) VerifySourceURI ¶
func (p *Provenance) VerifySourceURI(expectedSourceURI string, builderID utils.TrustedBuilderID) error
Verify source URI in provenance statement.
func (*Provenance) VerifySubjectDigest ¶
func (p *Provenance) VerifySubjectDigest(expectedHash string) error
VerifySubjectDigest verifies the sha256 of the subject.
func (*Provenance) VerifySummary ¶
func (p *Provenance) VerifySummary(provenanceOpts *options.ProvenanceOpts) error
VerifySummary verifies the content of the `image_summary` structure returned by `gcloud artifacts docker images describe image:tag --format json --show-provenance`.
func (*Provenance) VerifyTag ¶
func (p *Provenance) VerifyTag(expectedTag string) error
func (*Provenance) VerifyTextProvenance ¶
func (p *Provenance) VerifyTextProvenance() error
VerifyTextProvenance verifies the text provenance prepended to the provenance.This text mirrors the DSSE payload but is human-readable.
func (*Provenance) VerifyVersionedTag ¶
func (p *Provenance) VerifyVersionedTag(expectedTag string) error
type ProvenanceBuilder ¶
type ProvenanceBuilder struct {
ID string `json:"id"`
}
ProvenanceBuilder idenfifies the entity that executed the build steps.
type ProvenanceComplete ¶
type ProvenanceComplete struct {
Arguments bool `json:"arguments"`
Environment bool `json:"environment"`
Materials bool `json:"materials"`
}
ProvenanceComplete indicates whether the claims in build/recipe are complete. For in depth information refer to the specifictaion: https://github.com/in-toto/attestation/blob/v0.1.0/spec/predicates/provenance.md
type ProvenanceMaterial ¶
type ProvenanceMaterial struct {
URI string `json:"uri"`
Digest DigestSet `json:"digest,omitempty"`
}
ProvenanceMaterial defines the materials used to build an artifact.
type ProvenanceMetadata ¶
type ProvenanceMetadata struct {
// Use pointer to make sure that the abscense of a time is not
// encoded as the Epoch time.
BuildStartedOn *time.Time `json:"buildStartedOn,omitempty"`
BuildFinishedOn *time.Time `json:"buildFinishedOn,omitempty"`
Completeness ProvenanceComplete `json:"completeness"`
Reproducible bool `json:"reproducible"`
}
ProvenanceMetadata contains metadata for the built artifact.
type ProvenancePredicate ¶
type ProvenancePredicate struct {
Builder ProvenanceBuilder `json:"builder"`
Recipe ProvenanceRecipe `json:"recipe"`
Metadata *ProvenanceMetadata `json:"metadata,omitempty"`
Materials []ProvenanceMaterial `json:"materials,omitempty"`
}
ProvenancePredicate is the provenance predicate definition.
type ProvenanceRecipe ¶
type ProvenanceRecipe struct {
Type string `json:"type"`
// DefinedInMaterial can be sent as the null pointer to indicate that
// the value is not present.
// DefinedInMaterial *int `json:"definedInMaterial,omitempty"`
EntryPoint string `json:"entryPoint"`
Arguments interface{} `json:"arguments,omitempty"`
Environment interface{} `json:"environment,omitempty"`
}
ProvenanceRecipe describes the actions performed by the builder.
Source Files
Directories