Documentation ¶
Index ¶
- Constants
- func EnvelopeFromBytes(payload []byte) (env *dsselib.Envelope, err error)
- func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dsselib.Envelope, ...) (*x509.Certificate, error)
- func GetRekorEntries(rClient *client.Rekor, artifactHash string) ([]string, error)
- func GetRekorEntriesWithCert(rClient *client.Rekor, provenance []byte) (*dsselib.Envelope, *x509.Certificate, error)
- func VerifyBranch(prov *intoto.ProvenanceStatement, expectedBranch string) error
- func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts) error
- func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, provenance []byte, ...) (*dsselib.Envelope, *x509.Certificate, error)
- func VerifyTag(prov *intoto.ProvenanceStatement, expectedTag string) error
- func VerifyVersionedTag(prov *intoto.ProvenanceStatement, expectedTag string) error
- func VerifyWorkflowIdentity(id *WorkflowIdentity, builderOpts *options.BuilderOpts, source string, ...) (*utils.TrustedBuilderID, error)
- func VerifyWorkflowInputs(prov *intoto.ProvenanceStatement, inputs map[string]string) error
- type GHAVerifier
- func (v *GHAVerifier) IsAuthoritativeFor(builderID string) bool
- func (v *GHAVerifier) VerifyArtifact(ctx context.Context, provenance []byte, artifactHash string, ...) ([]byte, *utils.TrustedBuilderID, error)
- func (v *GHAVerifier) VerifyImage(ctx context.Context, provenance []byte, artifactImage string, ...) ([]byte, *utils.TrustedBuilderID, error)
- type WorkflowIdentity
Constants ¶
const VerifierName = "GHA"
Variables ¶
This section is empty.
Functions ¶
func FindSigningCertificate ¶
func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dsselib.Envelope, rClient *client.Rekor) (*x509.Certificate, error)
FindSigningCertificate finds and verifies a matching signing certificate from a list of Rekor entry UUIDs.
func GetRekorEntries ¶
GetRekorEntries finds all entry UUIDs by the digest of the artifact binary.
func GetRekorEntriesWithCert ¶
func GetRekorEntriesWithCert(rClient *client.Rekor, provenance []byte) (*dsselib.Envelope, *x509.Certificate, error)
GetRekorEntriesWithCert finds all entry UUIDs with the full intoto attestation. The attestation generated by the slsa-github-generator libraries contain a signing certificate.
func VerifyBranch ¶
func VerifyBranch(prov *intoto.ProvenanceStatement, expectedBranch string) error
func VerifyProvenance ¶
func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts) error
func VerifyProvenanceSignature ¶
func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, provenance []byte, artifactHash string) (*dsselib.Envelope, *x509.Certificate, error)
VerifyProvenanceSignature returns the verified DSSE envelope containing the provenance and the signing certificate given the provenance and artifact hash.
func VerifyVersionedTag ¶
func VerifyVersionedTag(prov *intoto.ProvenanceStatement, expectedTag string) error
func VerifyWorkflowIdentity ¶
func VerifyWorkflowIdentity(id *WorkflowIdentity, builderOpts *options.BuilderOpts, source string, defaultBuilders map[string]bool, ) (*utils.TrustedBuilderID, error)
VerifyWorkflowIdentity verifies the signing certificate information Builder IDs are verified against an expected builder ID provided in the builerOpts, or against the set of defaultBuilders provided.
func VerifyWorkflowInputs ¶ added in v1.3.1
func VerifyWorkflowInputs(prov *intoto.ProvenanceStatement, inputs map[string]string) error
Types ¶
type GHAVerifier ¶
type GHAVerifier struct{}
func GHAVerifierNew ¶
func GHAVerifierNew() *GHAVerifier
func (*GHAVerifier) IsAuthoritativeFor ¶
func (v *GHAVerifier) IsAuthoritativeFor(builderID string) bool
IsAuthoritativeFor returns true of the verifier can verify provenance generated by the builderID.
func (*GHAVerifier) VerifyArtifact ¶
func (v *GHAVerifier) VerifyArtifact(ctx context.Context, provenance []byte, artifactHash string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error)
VerifyArtifact verifies provenance for an artifact.
func (*GHAVerifier) VerifyImage ¶
func (v *GHAVerifier) VerifyImage(ctx context.Context, provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error)
VerifyImage verifies provenance for an OCI image.
type WorkflowIdentity ¶
type WorkflowIdentity struct { // The caller repository CallerRepository string `json:"caller"` // The commit SHA where the workflow was triggered CallerHash string `json:"commit"` // Current workflow (reuseable workflow) ref JobWobWorkflowRef string `json:"job_workflow_ref"` // Trigger Trigger string `json:"trigger"` // Issuer Issuer string `json:"issuer"` }
func GetWorkflowInfoFromCertificate ¶
func GetWorkflowInfoFromCertificate(cert *x509.Certificate) (*WorkflowIdentity, error)
GetWorkflowFromCertificate gets the workflow identity from the Fulcio authenticated content.