README
¶
Download the GCB keys
This is a temporary solution. We should try to automate key verification on pre-submits. We should pin the CA certificate when downloading them, maybe using curl and the googlecloudapi REST endpoint. See discussion in #181.
For now, you can verify the keys we downloaded by downloading them yourself.
cd verifiers/internal/gcb/keys
gcloud compute regions list | grep -v NAME | xargs -0 | cut -d ' ' -f1 | xargs -i gcloud kms keys versions get-public-key 1 --location {} --keyring attestor --key builtByGCB --project verified-builder --output-file {}.key
Documentation
¶
Index ¶
Constants ¶
View Source
const GlobalPAEKeyID = "projects/verified-builder/locations/global/keyRings/attestor/cryptoKeys/provenanceSigner/cryptoKeyVersions/1"
View Source
const GlobalPAEPublicKeyName = "global-pae"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type GlobalPAEKey ¶ added in v2.1.0
type GlobalPAEKey struct {
Verifier *dsselib.EnvelopeVerifier
// contains filtered or unexported fields
}
func NewGlobalPAEKey ¶ added in v2.1.0
func NewGlobalPAEKey() (*GlobalPAEKey, error)
func (*GlobalPAEKey) KeyID ¶ added in v2.1.0
func (v *GlobalPAEKey) KeyID() (string, error)
KeyID implements dsse.Verifier.KeyID.
func (*GlobalPAEKey) Public ¶ added in v2.1.0
func (v *GlobalPAEKey) Public() crypto.PublicKey
Public implements dsse.Verifier.Public.
func (*GlobalPAEKey) Verify ¶ added in v2.1.0
func (v *GlobalPAEKey) Verify(data, sig []byte) error
Verify implements dsse.Verifier.Verify. It verifies a signature formatted in DSSE-conformant PAE.
func (*GlobalPAEKey) VerifyPAESignature ¶ added in v2.1.0
func (v *GlobalPAEKey) VerifyPAESignature(envelope *dsselib.Envelope) error
Source Files
Click to show internal directories.
Click to hide internal directories.