The highest tagged major version is v2.

gha

package

v1.4.1 Latest Latest Go to latest Published: Oct 8, 2022 License: Apache-2.0 Imports: 44 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/slsa-framework/slsa-verifier

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func EnvelopeFromBytes(payload []byte) (env *dsselib.Envelope, err error)
func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dsselib.Envelope, ...) (*x509.Certificate, error)
func GetRekorEntries(rClient *client.Rekor, artifactHash string) ([]string, error)
func GetRekorEntriesWithCert(rClient *client.Rekor, provenance []byte) (*dsselib.Envelope, *x509.Certificate, error)
func VerifyBranch(prov *intoto.ProvenanceStatement, expectedBranch string) error
func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts) error
func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, provenance []byte, ...) (*dsselib.Envelope, *x509.Certificate, error)
func VerifyTag(prov *intoto.ProvenanceStatement, expectedTag string) error
func VerifyVersionedTag(prov *intoto.ProvenanceStatement, expectedTag string) error
func VerifyWorkflowIdentity(id *WorkflowIdentity, builderOpts *options.BuilderOpts, source string, ...) (*utils.TrustedBuilderID, error)
func VerifyWorkflowInputs(prov *intoto.ProvenanceStatement, inputs map[string]string) error
type GHAVerifier
- func GHAVerifierNew() *GHAVerifier
type WorkflowIdentity
- func GetWorkflowInfoFromCertificate(cert *x509.Certificate) (*WorkflowIdentity, error)

Constants ¶

View Source

const VerifierName = "GHA"

Variables ¶

This section is empty.

Functions ¶

func EnvelopeFromBytes ¶

func EnvelopeFromBytes(payload []byte) (env *dsselib.Envelope, err error)

func FindSigningCertificate ¶

func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dsselib.Envelope, rClient *client.Rekor) (*x509.Certificate, error)

FindSigningCertificate finds and verifies a matching signing certificate from a list of Rekor entry UUIDs.

func GetRekorEntries ¶

func GetRekorEntries(rClient *client.Rekor, artifactHash string) ([]string, error)

GetRekorEntries finds all entry UUIDs by the digest of the artifact binary.

func GetRekorEntriesWithCert ¶

func GetRekorEntriesWithCert(rClient *client.Rekor, provenance []byte) (*dsselib.Envelope, *x509.Certificate, error)

GetRekorEntriesWithCert finds all entry UUIDs with the full intoto attestation. The attestation generated by the slsa-github-generator libraries contain a signing certificate.

func VerifyBranch ¶

func VerifyBranch(prov *intoto.ProvenanceStatement, expectedBranch string) error

func VerifyProvenance ¶

func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts) error

func VerifyProvenanceSignature ¶

func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, provenance []byte, artifactHash string) (*dsselib.Envelope, *x509.Certificate, error)

VerifyProvenanceSignature returns the verified DSSE envelope containing the provenance and the signing certificate given the provenance and artifact hash.

func VerifyTag ¶

func VerifyTag(prov *intoto.ProvenanceStatement, expectedTag string) error

func VerifyVersionedTag ¶

func VerifyVersionedTag(prov *intoto.ProvenanceStatement, expectedTag string) error

func VerifyWorkflowIdentity ¶

func VerifyWorkflowIdentity(id *WorkflowIdentity,
	builderOpts *options.BuilderOpts, source string,
	defaultBuilders map[string]bool,
) (*utils.TrustedBuilderID, error)

VerifyWorkflowIdentity verifies the signing certificate information Builder IDs are verified against an expected builder ID provided in the builerOpts, or against the set of defaultBuilders provided.

func VerifyWorkflowInputs ¶ added in v1.3.1

func VerifyWorkflowInputs(prov *intoto.ProvenanceStatement, inputs map[string]string) error

Types ¶

type GHAVerifier ¶

type GHAVerifier struct{}

func GHAVerifierNew ¶

func GHAVerifierNew() *GHAVerifier

func (*GHAVerifier) IsAuthoritativeFor ¶

func (v *GHAVerifier) IsAuthoritativeFor(builderID string) bool

IsAuthoritativeFor returns true of the verifier can verify provenance generated by the builderID.

func (*GHAVerifier) VerifyArtifact ¶

func (v *GHAVerifier) VerifyArtifact(ctx context.Context,
	provenance []byte, artifactHash string,
	provenanceOpts *options.ProvenanceOpts,
	builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyArtifact verifies provenance for an artifact.

func (*GHAVerifier) VerifyImage ¶

func (v *GHAVerifier) VerifyImage(ctx context.Context,
	provenance []byte, artifactImage string,
	provenanceOpts *options.ProvenanceOpts,
	builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyImage verifies provenance for an OCI image.

type WorkflowIdentity ¶

type WorkflowIdentity struct {
	// The caller repository
	CallerRepository string `json:"caller"`
	// The commit SHA where the workflow was triggered
	CallerHash string `json:"commit"`
	// Current workflow (reuseable workflow) ref
	JobWobWorkflowRef string `json:"job_workflow_ref"`
	// Trigger
	Trigger string `json:"trigger"`
	// Issuer
	Issuer string `json:"issuer"`
}

func GetWorkflowInfoFromCertificate ¶

func GetWorkflowInfoFromCertificate(cert *x509.Certificate) (*WorkflowIdentity, error)

GetWorkflowFromCertificate gets the workflow identity from the Fulcio authenticated content.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL