Documentation
¶
Index ¶
- Constants
- func EnvelopeFromBytes(payload []byte) (env *dsselib.Envelope, err error)
- func VerifyBranch(prov *intoto.ProvenanceStatement, expectedBranch string) error
- func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts) error
- func VerifyTag(prov *intoto.ProvenanceStatement, expectedTag string) error
- func VerifyVersionedTag(prov *intoto.ProvenanceStatement, expectedTag string) error
- func VerifyWorkflowIdentity(id *WorkflowIdentity, builderOpts *options.BuilderOpts, source string, ...) (*utils.TrustedBuilderID, error)
- func VerifyWorkflowInputs(prov *intoto.ProvenanceStatement, inputs map[string]string) error
- type GHAVerifier
- func (v *GHAVerifier) IsAuthoritativeFor(builderID string) bool
- func (v *GHAVerifier) VerifyArtifact(ctx context.Context, provenance []byte, artifactHash string, ...) ([]byte, *utils.TrustedBuilderID, error)
- func (v *GHAVerifier) VerifyImage(ctx context.Context, provenance []byte, artifactImage string, ...) ([]byte, *utils.TrustedBuilderID, error)
- type SignedAttestation
- func GetValidSignedAttestationWithCert(rClient *client.Rekor, provenance []byte) (*SignedAttestation, error)
- func SearchValidSignedAttestation(ctx context.Context, artifactHash string, provenance []byte, ...) (*SignedAttestation, error)
- func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, provenance []byte, ...) (*SignedAttestation, error)
- type WorkflowIdentity
Constants ¶
const VerifierName = "GHA"
Variables ¶
This section is empty.
Functions ¶
func VerifyBranch ¶
func VerifyBranch(prov *intoto.ProvenanceStatement, expectedBranch string) error
func VerifyProvenance ¶
func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts) error
func VerifyVersionedTag ¶
func VerifyVersionedTag(prov *intoto.ProvenanceStatement, expectedTag string) error
func VerifyWorkflowIdentity ¶
func VerifyWorkflowIdentity(id *WorkflowIdentity, builderOpts *options.BuilderOpts, source string, defaultBuilders map[string]bool, ) (*utils.TrustedBuilderID, error)
VerifyWorkflowIdentity verifies the signing certificate information Builder IDs are verified against an expected builder ID provided in the builerOpts, or against the set of defaultBuilders provided.
func VerifyWorkflowInputs ¶
func VerifyWorkflowInputs(prov *intoto.ProvenanceStatement, inputs map[string]string) error
Types ¶
type GHAVerifier ¶
type GHAVerifier struct{}
func GHAVerifierNew ¶
func GHAVerifierNew() *GHAVerifier
func (*GHAVerifier) IsAuthoritativeFor ¶
func (v *GHAVerifier) IsAuthoritativeFor(builderID string) bool
IsAuthoritativeFor returns true of the verifier can verify provenance generated by the builderID.
func (*GHAVerifier) VerifyArtifact ¶
func (v *GHAVerifier) VerifyArtifact(ctx context.Context, provenance []byte, artifactHash string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error)
VerifyArtifact verifies provenance for an artifact.
func (*GHAVerifier) VerifyImage ¶
func (v *GHAVerifier) VerifyImage(ctx context.Context, provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error)
VerifyImage verifies provenance for an OCI image.
type SignedAttestation ¶
type SignedAttestation struct {
// The signed DSSE envelope
Envelope *dsselib.Envelope
// The signing certificate
SigningCert *x509.Certificate
// The associated verified Rekor entry
RekorEntry *models.LogEntryAnon
}
SignedAttestation contains a signed DSSE envelope and its associated signing certificate.
func GetValidSignedAttestationWithCert ¶
func GetValidSignedAttestationWithCert(rClient *client.Rekor, provenance []byte) (*SignedAttestation, error)
GetValidSignedAttestationWithCert finds and validates the matching entry UUIDs with the full intoto attestation. The attestation generated by the slsa-github-generator libraries contain a signing certificate.
func SearchValidSignedAttestation ¶
func SearchValidSignedAttestation(ctx context.Context, artifactHash string, provenance []byte, rClient *client.Rekor) (*SignedAttestation, error)
SearchValidSignedAttestation searches for a valid signing certificate using the Rekor Redis search index by using the artifact digest.
func VerifyProvenanceSignature ¶
func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, provenance []byte, artifactHash string) ( *SignedAttestation, error)
VerifyProvenanceSignature returns the verified DSSE envelope containing the provenance and the signing certificate given the provenance and artifact hash.
type WorkflowIdentity ¶
type WorkflowIdentity struct {
// The caller repository
CallerRepository string `json:"caller"`
// The commit SHA where the workflow was triggered
CallerHash string `json:"commit"`
// Current workflow (reuseable workflow) ref
JobWobWorkflowRef string `json:"job_workflow_ref"`
// Trigger
Trigger string `json:"trigger"`
// Issuer
Issuer string `json:"issuer"`
}
func GetWorkflowInfoFromCertificate ¶
func GetWorkflowInfoFromCertificate(cert *x509.Certificate) (*WorkflowIdentity, error)
GetWorkflowFromCertificate gets the workflow identity from the Fulcio authenticated content.
Source Files