sigstore

Documentation

Index

• type Config
  • func NewConfig() *Config
  • func NewConfigFromHCL(hclConfig *HCLConfig, log hclog.Logger) *Config
• type HCLConfig
• type ImageVerifier
  • func NewVerifier(config *Config) *ImageVerifier
  • func (v *ImageVerifier) Init(ctx context.Context) error
  • func (v *ImageVerifier) Verify(ctx context.Context, imageID string) ([]string, error)
• type RegistryCredential
• type Verifier

Types

type Config

type Config struct {
	RekorURL            string
	RegistryCredentials map[string]*RegistryCredential

	AllowedIdentities  map[string][]string
	SkippedImages      map[string]struct{}
	IgnoreSCT          bool
	IgnoreTlog         bool
	IgnoreAttestations bool

	Logger hclog.Logger
}

Config holds configuration for the ImageVerifier.

func NewConfig

func NewConfig() *Config

func NewConfigFromHCL

func NewConfigFromHCL(hclConfig *HCLConfig, log hclog.Logger) *Config

type HCLConfig

type HCLConfig struct {
	// AllowedIdentities is a list of identities (issuer and subjects) that must match for the signature to be valid.
	AllowedIdentities map[string][]string `hcl:"allowed_identities" json:"allowed_identities"`

	// SkippedImages is a list of images that should skip sigstore verification
	SkippedImages []string `hcl:"skipped_images" json:"skipped_images"`

	// RekorURL is the URL for the Rekor transparency log server to use for verifying entries.
	RekorURL *string `hcl:"rekor_url,omitempty" json:"rekor_url,omitempty"`

	// IgnoreSCT specifies whether to bypass the requirement for a Signed Certificate Timestamp (SCT) during verification.
	// An SCT is proof of inclusion in a Certificate Transparency log.
	IgnoreSCT *bool `hcl:"ignore_sct,omitempty" json:"ignore_sct,omitempty"`

	// IgnoreTlog specifies whether to bypass the requirement for transparency log verification during signature validation.
	IgnoreTlog *bool `hcl:"ignore_tlog,omitempty" json:"ignore_tlog,omitempty"`

	// IgnoreAttestations specifies whether to bypass the image attestations verification.
	IgnoreAttestations *bool `hcl:"ignore_attestations,omitempty" json:"ignore_attestations,omitempty"`

	// RegistryCredentials is a map of credentials keyed by registry URL
	RegistryCredentials map[string]*RegistryCredential `hcl:"registry_credentials,omitempty" json:"registry_credentials,omitempty"`
}

type ImageVerifier

type ImageVerifier struct {
	// contains filtered or unexported fields
}

ImageVerifier implements the Verifier interface.

func NewVerifier

func NewVerifier(config *Config) *ImageVerifier

func (*ImageVerifier) Init

func (v *ImageVerifier) Init(ctx context.Context) error

Init prepares the verifier by retrieving the Fulcio certificates and Rekor and CT public keys.

func (*ImageVerifier) Verify

func (v *ImageVerifier) Verify(ctx context.Context, imageID string) ([]string, error)

Verify validates image's signatures, attestations, and transparency logs using Cosign and Rekor. The imageID parameter is expected to be in the format "repository@sha256:digest". It returns selectors based on the image signature and rekor bundle details. Cosign ensures the image's signature issuer and subject match the configured allowed identities. If the image is in the skip list, it bypasses verification and returns an empty list of selectors. Uses a cache to avoid redundant verifications. An error is returned if the verification of the images signatures or attestations fails.

type RegistryCredential

type RegistryCredential struct {
	Username string `hcl:"username,omitempty" json:"username,omitempty"`
	Password string `hcl:"password,omitempty" json:"password,omitempty"`
}

type Verifier

type Verifier interface {
	// Verify verifies an image and returns a list of selectors.
	Verify(ctx context.Context, imageID string) ([]string, error)
}