Documentation
¶
Index ¶
- func BranchFromGitRef(ref string) (string, error)
- func DecodeSignature(s string) ([]byte, error)
- func DsseVerifierNew(content []byte, format KeyFormat, keyID string, sigEncoding *SignatureEncoding) (*dsselib.EnvelopeVerifier, error)
- func EnvelopeFromBytes(payload []byte) (*dsselib.Envelope, error)
- func GetDefaultSigstoreTUFClient() (*sigstoreTUF.Client, error)
- func GetSigstoreTrustedRoot() (*sigstoreRoot.LiveTrustedRoot, error)
- func IsValidBuilderTag(ref string, testing bool) error
- func IsValidJreleaserBuilderTag(ref string) error
- func MergeMaps[K comparable, V any](m1, m2 map[K]V) map[K]V
- func NormalizeGitURI(s string) string
- func ParseBuilderID(id string, needVersion bool) (string, string, error)
- func ParseGitRef(ref string) (string, string)
- func ParseGitURIAndRef(uri string) (string, string, error)
- func PayloadFromEnvelope(env *dsselib.Envelope) ([]byte, error)
- func StatementFromBytes(payload []byte) (*intoto.Statement, error)
- func StatementFromEnvelope(env *dsselib.Envelope) (*intoto.Statement, error)
- func TagFromGitRef(ref string) (string, error)
- func ValidateGitRef(refType, ref string) (string, error)
- func VerifyVersionedTag(provenanceTag, expectedTag string) error
- type KeyFormat
- type SignatureEncoding
- type SigstoreTUFClient
- type TrustedBuilderID
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BranchFromGitRef ¶ added in v2.4.0
BranchFromGitRef returns the tagname from a tag ref.
func DecodeSignature ¶ added in v2.1.0
func DsseVerifierNew ¶ added in v2.4.1
func DsseVerifierNew(content []byte, format KeyFormat, keyID string, sigEncoding *SignatureEncoding) (*dsselib.EnvelopeVerifier, error)
func EnvelopeFromBytes ¶ added in v2.4.1
func GetDefaultSigstoreTUFClient ¶ added in v2.7.0
func GetDefaultSigstoreTUFClient() (*sigstoreTUF.Client, error)
GetDefaultSigstoreTUFClient returns the default Sigstore TUF client. The client will be cached in memory.
func GetSigstoreTrustedRoot ¶ added in v2.7.0
func GetSigstoreTrustedRoot() (*sigstoreRoot.LiveTrustedRoot, error)
GetSigstoreTrustedRoot returns the trusted root for the Sigstore TUF client.
func IsValidBuilderTag ¶ added in v2.4.0
IsValidBuilderTag validates if the given ref is a valid builder tag.
func IsValidJreleaserBuilderTag ¶ added in v2.4.0
func MergeMaps ¶ added in v2.4.0
func MergeMaps[K comparable, V any](m1, m2 map[K]V) map[K]V
func NormalizeGitURI ¶ added in v2.4.0
NormalizeGitURI normalizes a git URI to include a git+https:// prefix.
func ParseBuilderID ¶
ParseBuilderID parses the builder ID into the URI and ref parts.
func ParseGitRef ¶ added in v2.4.0
ParseGitRef parses the git ref and returns its type and name.
func ParseGitURIAndRef ¶ added in v2.4.0
ParseGitURIAndRef retrieves the URI and ref from the given URI.
func PayloadFromEnvelope ¶ added in v2.1.0
func StatementFromBytes ¶ added in v2.4.1
StatementFromBytes parses the provided byte slice as a JSON payload and returns an intoto.Statement. Ideally, we use the "V1" Statement in https://pkg.go.dev/github.com/in-toto/attestation/go/v1#pkg-constants, but it parses json fields in snake case, while the official spec uses camel case https://github.com/in-toto/attestation/blob/v1.0/spec/v1.0/statement.md.
func StatementFromEnvelope ¶ added in v2.4.1
func TagFromGitRef ¶ added in v2.4.0
TagFromGitRef returns the tagname from a tag ref.
func ValidateGitRef ¶ added in v2.4.0
ValidateGitRef validates that the given git ref is a valid ref of the given type and returns its name.
func VerifyVersionedTag ¶ added in v2.2.0
Types ¶
type SignatureEncoding ¶ added in v2.4.1
type SignatureEncoding int
const ( // The DER signature is encoded using ASN.1 // (https://tools.ietf.org/html/rfc5480#appendix-A): // ECDSA-Sig-Value :: = SEQUENCE { r INTEGER, s INTEGER }. In particular, the // encoding is: // 0x30 || totalLength || 0x02 || r's length || r || 0x02 || s's length || s. SignatureEncodingDER SignatureEncoding = iota // The IEEE_P1363 signature's format is r || s, where r and s are zero-padded // and have the same size in bytes as the order of the curve. For example, for // NIST P-256 curve, r and s are zero-padded to 32 bytes. SignatureEncodingIEEEP1363 )
type SigstoreTUFClient ¶ added in v2.7.0
type SigstoreTUFClient interface {
// GetTarget retrieves the target file from the TUF repository.
GetTarget(target string) ([]byte, error)
}
SigstoreTUFClient is the interface for the Sigstore TUF client.
type TrustedBuilderID ¶
type TrustedBuilderID struct {
// contains filtered or unexported fields
}
TrustedBuilderID represents a builder ID that has been explicitly trusted.
func TrustedBuilderIDNew ¶
func TrustedBuilderIDNew(builderID string, needVersion bool) (*TrustedBuilderID, error)
TrustedBuilderIDNew creates a new BuilderID structure.
func (*TrustedBuilderID) MatchesFull ¶ added in v2.3.0
func (b *TrustedBuilderID) MatchesFull(builderID string, allowRef bool) error
MatchesFull matches the builderID string against the reference builderID. Both the name and versions are always verified.
func (*TrustedBuilderID) MatchesLoose ¶ added in v2.3.0
func (b *TrustedBuilderID) MatchesLoose(builderID string, allowRef bool) error
MatchesLoose matches the builderID string against the reference builderID. If the builderID contains a semver, the full builderID must match. Otherwise, only the name needs to match. `allowRef: true` indicates that the matching need not be an eaxct match. In this case, if the BuilderID version is a GitHub ref `refs/tags/name`, we will consider it equal to user-provided builderID `name`.
func (*TrustedBuilderID) Name ¶
func (b *TrustedBuilderID) Name() string
Name returns the trusted builder's name.
func (*TrustedBuilderID) String ¶
func (b *TrustedBuilderID) String() string
String returns the full trusted builder ID as a string.
func (*TrustedBuilderID) Version ¶
func (b *TrustedBuilderID) Version() string
Version returns the trusted builder's version reference if any.
Source Files
Directories