gha

package
v2.3.0-rc.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 20, 2023 License: Apache-2.0 Imports: 50 Imported by: 0

Documentation

Index

Constants

View Source 
const VerifierName = "GHA"

Variables

View Source 
var (
	ErrorMismatchSignature       = errors.New("bundle tlog entry does not match signature")
	ErrorUnexpectedEntryType     = errors.New("unexpected tlog entry type")
	ErrorMissingCertInBundle     = errors.New("missing signing certificate in bundle")
	ErrorUnexpectedBundleContent = errors.New("expected DSSE bundle content")
)

Bundle specific errors.

Functions

func EnvelopeFromBytes 

func EnvelopeFromBytes(payload []byte) (env *dsselib.Envelope, err error)

func IsSigstoreBundle added in v2.1.0 

func IsSigstoreBundle(bytes []byte) bool

IsSigstoreBundle checks if the provenance is a Sigstore bundle.

func VerifyBranch 

func VerifyBranch(prov slsaprovenance.Provenance, expectedBranch string) error

func VerifyBuilderIdentity added in v2.1.0 

func VerifyBuilderIdentity(id *WorkflowIdentity,
	builderOpts *options.BuilderOpts,
	defaultBuilders map[string]bool,
) (*utils.TrustedBuilderID, error)

VerifyBuilderIdentity verifies the signing certificate information. Builder IDs are verified against an expected builder ID provided in the builerOpts, or against the set of defaultBuilders provided. The identiy in the certificate corresponds to a GitHub workflow's path.

func VerifyCertficateSourceRepository added in v2.1.0 

func VerifyCertficateSourceRepository(id *WorkflowIdentity,
	sourceRepo string,
) error

VerifyCertficateSourceRepository verifies the source repository.

func VerifyNpmPackageProvenance added in v2.1.0 

func VerifyNpmPackageProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts,
) error

func VerifyProvenance 

func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts,
) error

func VerifyProvenanceCommonOptions added in v2.1.0 

func VerifyProvenanceCommonOptions(prov slsaprovenance.Provenance, provenanceOpts *options.ProvenanceOpts,
	allowNoMaterialRef bool,
) error

func VerifyTag 

func VerifyTag(prov slsaprovenance.Provenance, expectedTag string) error

func VerifyVersionedTag 

func VerifyVersionedTag(prov slsaprovenance.Provenance, expectedTag string) error

func VerifyWorkflowInputs 

func VerifyWorkflowInputs(prov slsaprovenance.Provenance, inputs map[string]string) error

Types

type BundleBytes added in v2.1.0 

type BundleBytes []byte

func (*BundleBytes) UnmarshalJSON added in v2.1.0 

func (b *BundleBytes) UnmarshalJSON(data []byte) error

type GHAVerifier 

type GHAVerifier struct{}

func GHAVerifierNew 

func GHAVerifierNew() *GHAVerifier

func (*GHAVerifier) IsAuthoritativeFor 

func (v *GHAVerifier) IsAuthoritativeFor(builderID string) bool

IsAuthoritativeFor returns true of the verifier can verify provenance generated by the builderID.

func (*GHAVerifier) VerifyArtifact 

func (v *GHAVerifier) VerifyArtifact(ctx context.Context,
	provenance []byte, artifactHash string,
	provenanceOpts *options.ProvenanceOpts,
	builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyArtifact verifies provenance for an artifact.

func (*GHAVerifier) VerifyImage 

func (v *GHAVerifier) VerifyImage(ctx context.Context,
	provenance []byte, artifactImage string,
	provenanceOpts *options.ProvenanceOpts,
	builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyImage verifies provenance for an OCI image.

func (*GHAVerifier) VerifyNpmPackage added in v2.1.0 

func (v *GHAVerifier) VerifyNpmPackage(ctx context.Context,
	attestations []byte, tarballHash string,
	provenanceOpts *options.ProvenanceOpts,
	builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyNpmPackage verifies an npm package tarball.

type Npm added in v2.1.0 

type Npm struct {
	// contains filtered or unexported fields
}

func NpmNew added in v2.1.0 

func NpmNew(ctx context.Context, root *TrustedRoot, attestationBytes []byte) (*Npm, error)

func (*Npm) ProvenanceEnvelope added in v2.1.0 

func (n *Npm) ProvenanceEnvelope() *dsse.Envelope

func (*Npm) ProvenanceLeafCertificate added in v2.1.0 

func (n *Npm) ProvenanceLeafCertificate() *x509.Certificate

type SignedAttestation 

type SignedAttestation struct {
	// The signed DSSE envelope
	Envelope *dsselib.Envelope
	// The signing certificate
	SigningCert *x509.Certificate
	// The associated verified Rekor entry
	RekorEntry *models.LogEntryAnon
}

SignedAttestation contains a signed DSSE envelope and its associated signing certificate.

func GetValidSignedAttestationWithCert 

func GetValidSignedAttestationWithCert(rClient *client.Rekor,
	provenance []byte, trustedRoot *TrustedRoot,
) (*SignedAttestation, error)

GetValidSignedAttestationWithCert finds and validates the matching entry UUIDs with the full intoto attestation. The attestation generated by the slsa-github-generator libraries contain a signing certificate.

func SearchValidSignedAttestation 

func SearchValidSignedAttestation(ctx context.Context, artifactHash string, provenance []byte,
	rClient *client.Rekor, trustedRoot *TrustedRoot,
) (*SignedAttestation, error)

SearchValidSignedAttestation searches for a valid signing certificate using the Rekor Redis search index by using the artifact digest.

func VerifyProvenanceBundle added in v2.1.0 

func VerifyProvenanceBundle(ctx context.Context, bundleBytes []byte,
	trustedRoot *TrustedRoot) (
	*SignedAttestation, error,
)

VerifyProvenanceBundle verifies the DSSE envelope using the offline Rekor bundle and returns the verified DSSE envelope containing the provenance and the signing certificate given the provenance.

func VerifyProvenanceSignature 

func VerifyProvenanceSignature(ctx context.Context, trustedRoot *TrustedRoot,
	rClient *client.Rekor,
	provenance []byte, artifactHash string) (
	*SignedAttestation, error,
)

VerifyProvenanceSignature returns the verified DSSE envelope containing the provenance and the signing certificate given the provenance and artifact hash.

type TrustedRoot added in v2.1.0 

type TrustedRoot struct {
	// RekorPubKeys is a map from log ID to public keys containing metadata.
	RekorPubKeys *cosign.TrustedTransparencyLogPubKeys

	// SctPubKeys is a map from log ID to public keys for the SCT.
	CTPubKeys *cosign.TrustedTransparencyLogPubKeys

	// Certificate pool for Fulcio roots.
	FulcioRoot *x509.CertPool

	// Certificate pool for Fulcio intermediates
	FulcioIntermediates *x509.CertPool
}

TrustedRoot struct that holds the verification material necessary to validate items. MUST be populated out of band.

func GetTrustedRoot added in v2.1.0 

func GetTrustedRoot(ctx context.Context) (*TrustedRoot, error)

type WorkflowIdentity 

type WorkflowIdentity struct {
	// The caller repository
	CallerRepository string `json:"caller"`
	// The commit SHA where the workflow was triggered
	CallerHash string `json:"commit"`
	// Current workflow (reuseable workflow) ref
	JobWobWorkflowRef string `json:"job_workflow_ref"`
	// Trigger
	Trigger string `json:"trigger"`
	// Issuer
	Issuer string `json:"issuer"`
}

func GetWorkflowInfoFromCertificate 

func GetWorkflowInfoFromCertificate(cert *x509.Certificate) (*WorkflowIdentity, error)

GetWorkflowFromCertificate gets the workflow identity from the Fulcio authenticated content.

Source Files

View all Source files

Directories

Path Synopsis
v0.2
v1.0

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.