Documentation ¶
Index ¶
- Constants
- Variables
- func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error
- func CheckExpiry(cert *x509.Certificate, it time.Time) error
- func ComputeLeafHash(e *models.LogEntryAnon) ([]byte, error)
- func ContainsSCT(cert []byte) (bool, error)
- func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor, b64Sig string, ...) ([]models.LogEntryAnon, error)
- func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
- func Get(ctx context.Context) *client.Rekor
- func GetPassFromTerm(confirm bool) ([]byte, error)
- func GetTlogEntry(ctx context.Context, rekorClient *client.Rekor, entryUUID string) (*models.LogEntryAnon, error)
- func GetTransparencyLogID(pub crypto.PublicKey) (string, error)
- func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error
- func IsTerminal() bool
- func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error)
- func NewVerificationError(msg string, args ...interface{}) error
- func ObsoletePayload(ctx context.Context, digestedImage name.Digest) ([]byte, error)
- func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)
- func Set(ctx context.Context, rekorClient *client.Rekor) context.Context
- func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error
- func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature []byte, ...) (*models.LogEntryAnon, error)
- func TLogUploadDSSEEnvelope(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
- func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
- func TrustedCert(cert *x509.Certificate, roots *x509.CertPool, intermediates *x509.CertPool) ([][]*x509.Certificate, error)
- func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Verifier, error)
- func ValidateAndUnpackCertWithChain(cert *x509.Certificate, chain []*x509.Certificate, co *CheckOpts) (signature.Verifier, error)
- func ValidateAndUnpackCertWithIntermediates(cert *x509.Certificate, co *CheckOpts, intermediateCerts *x509.CertPool) (signature.Verifier, error)
- func VerifyBlobAttestation(ctx context.Context, att oci.Signature, h v1.Hash, co *CheckOpts) (bool, error)
- func VerifyBlobSignature(ctx context.Context, sig oci.Signature, co *CheckOpts) (bundleVerified bool, err error)
- func VerifyBundle(sig oci.Signature, co *CheckOpts) (bool, error)
- func VerifyEmbeddedSCT(ctx context.Context, chain []*x509.Certificate, ...) error
- func VerifyImageAttestation(ctx context.Context, atts oci.Signatures, h v1.Hash, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
- func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
- func VerifyImageSignature(ctx context.Context, sig oci.Signature, h v1.Hash, co *CheckOpts) (bundleVerified bool, err error)
- func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
- func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
- func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
- func VerifyRFC3161Timestamp(sig oci.Signature, co *CheckOpts) (*timestamp.Timestamp, error)
- func VerifySCT(_ context.Context, certPEM, chainPEM, rawSCT []byte, ...) error
- func VerifySET(bundlePayload cbundle.RekorPayload, signature []byte, pub *ecdsa.PublicKey) error
- func VerifyTLogEntryOffline(ctx context.Context, e *models.LogEntryAnon, ...) error
- type AttestationPayload
- type CertExtensions
- func (ce *CertExtensions) GetCertExtensionGithubWorkflowName() string
- func (ce *CertExtensions) GetCertExtensionGithubWorkflowRef() string
- func (ce *CertExtensions) GetCertExtensionGithubWorkflowRepository() string
- func (ce *CertExtensions) GetCertExtensionGithubWorkflowTrigger() string
- func (ce *CertExtensions) GetExtensionGithubWorkflowSha() string
- func (ce *CertExtensions) GetIssuer() string
- type CheckOpts
- type ErrImageTagNotFound
- type ErrNoCertificateFoundOnSignature
- type ErrNoMatchingAttestations
- type ErrNoMatchingSignatures
- type ErrNoSignaturesFound
- type Identity
- type Keys
- type KeysBytes
- type LocalSignedPayload
- type PassFunc
- type Signatures
- type SignedPayload
- type TransparencyLogPubKey
- type TrustedTransparencyLogPubKeys
- type VerificationError
- type VerificationFailure
Constants ¶
const ( Signature = "signature" SBOM = "sbom" Attestation = "attestation" Digest = "digest" )
const ( CosignPrivateKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY" SigstorePrivateKeyPemType = "ENCRYPTED SIGSTORE PRIVATE KEY" // PEM-encoded PKCS #1 RSA private key RSAPrivateKeyPemType = "RSA PRIVATE KEY" // PEM-encoded ECDSA private key ECPrivateKeyPemType = "EC PRIVATE KEY" // PEM-encoded PKCS #8 RSA, ECDSA or ED25519 private key PrivateKeyPemType = "PRIVATE KEY" BundleKey = static.BundleAnnotationKey RFC3161TimestampKey = static.RFC3161TimestampAnnotationKey )
Variables ¶
var ( // Fulcio cert-extensions, documented here: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md CertExtensionOIDCIssuer = "1.3.6.1.4.1.57264.1.1" CertExtensionGithubWorkflowTrigger = "1.3.6.1.4.1.57264.1.2" CertExtensionGithubWorkflowSha = "1.3.6.1.4.1.57264.1.3" CertExtensionGithubWorkflowName = "1.3.6.1.4.1.57264.1.4" CertExtensionGithubWorkflowRepository = "1.3.6.1.4.1.57264.1.5" CertExtensionGithubWorkflowRef = "1.3.6.1.4.1.57264.1.6" CertExtensionMap = map[string]string{ CertExtensionOIDCIssuer: "oidcIssuer", CertExtensionGithubWorkflowTrigger: "githubWorkflowTrigger", CertExtensionGithubWorkflowSha: "githubWorkflowSha", CertExtensionGithubWorkflowName: "githubWorkflowName", CertExtensionGithubWorkflowRepository: "githubWorkflowRepository", CertExtensionGithubWorkflowRef: "githubWorkflowRef", } )
var ( // ErrNoMatchingAttestationsMessage exists for backwards compatibility. // Deprecated: see [ErrNoMatchingAttestations]. ErrNoMatchingAttestationsMessage = "no matching attestations" // ErrNoMatchingAttestationsType exists for backwards compatibility. // Deprecated: see [ErrNoMatchingAttestations]. ErrNoMatchingAttestationsType = "NoMatchingAttestations" )
Functions ¶
func CheckCertificatePolicy ¶
func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error
CheckCertificatePolicy checks that the certificate subject and issuer match the expected values.
func CheckExpiry ¶
func CheckExpiry(cert *x509.Certificate, it time.Time) error
CheckExpiry confirms the time provided is within the valid period of the cert
func ComputeLeafHash ¶
func ComputeLeafHash(e *models.LogEntryAnon) ([]byte, error)
func ContainsSCT ¶
ContainsSCT checks if the certificate contains embedded SCTs. cert can either be DER or PEM encoded.
func FindTlogEntry ¶
func GeneratePrivateKey ¶
func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
TODO(jason): Move this to an internal package.
func Get ¶
Get extracts the Rekor client from the context. TODO(jason): Rename this to something better than pkg/cosign.Get.
func GetPassFromTerm ¶
TODO(jason): Move this to an internal package.
func GetTlogEntry ¶
func GetTransparencyLogID ¶
GetTransparencyLogID generates a SHA256 hash of a DER-encoded public key. (see RFC 6962 S3.2) In CT V1 the log id is a hash of the public key.
func IntotoSubjectClaimVerifier ¶
func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error
IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.
func LoadPrivateKey ¶
func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error)
TODO(jason): Move this to pkg/signature, the only place it's used, and unimport it.
func NewVerificationError ¶
NewVerificationError exists for backwards compatibility. Deprecated: see VerificationFailure.
func ObsoletePayload ¶ added in v2.0.2
ObsoletePayload returns the implied payload that some commands expect to match the signature if no payload is provided by the user. DO NOT ADD ANY NEW CALLERS OF THIS.
func PemToECDSAKey ¶
TODO(jason): Move this to an internal package.
func SimpleClaimVerifier ¶
func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error
SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.
func TLogUpload ¶
func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature []byte, sha256CheckSum hash.Hash, pemBytes []byte) (*models.LogEntryAnon, error)
TLogUpload will upload the signature, public key and payload to the transparency log.
func TLogUploadDSSEEnvelope ¶ added in v2.1.0
func TLogUploadDSSEEnvelope(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
TLogUploadDSSEEnvelope will upload a DSSE entry for the signature and public key to the Rekor transparency log.
func TLogUploadInTotoAttestation ¶
func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
TLogUploadInTotoAttestation will upload an in-toto entry for the signature and public key to the transparency log.
func TrustedCert ¶
func TrustedCert(cert *x509.Certificate, roots *x509.CertPool, intermediates *x509.CertPool) ([][]*x509.Certificate, error)
func ValidateAndUnpackCert ¶
ValidateAndUnpackCert creates a Verifier from a certificate. Verifies that the certificate chains up to a trusted root using intermediate certificate chain coming from CheckOpts. Optionally verifies the subject and issuer of the certificate.
func ValidateAndUnpackCertWithChain ¶
func ValidateAndUnpackCertWithChain(cert *x509.Certificate, chain []*x509.Certificate, co *CheckOpts) (signature.Verifier, error)
ValidateAndUnpackCertWithChain creates a Verifier from a certificate. Verifies that the certificate chains up to the provided root. Chain should start with the parent of the certificate and end with the root. Optionally verifies the subject and issuer of the certificate.
func ValidateAndUnpackCertWithIntermediates ¶ added in v2.2.3
func ValidateAndUnpackCertWithIntermediates(cert *x509.Certificate, co *CheckOpts, intermediateCerts *x509.CertPool) (signature.Verifier, error)
ValidateAndUnpackCertWithIntermediates creates a Verifier from a certificate. Verifies that the certificate chains up to a trusted root using intermediate cert passed as separate argument. Optionally verifies the subject and issuer of the certificate.
func VerifyBlobAttestation ¶
func VerifyBlobSignature ¶
func VerifyBlobSignature(ctx context.Context, sig oci.Signature, co *CheckOpts) (bundleVerified bool, err error)
VerifyBlobSignature verifies a blob signature.
func VerifyBundle ¶
This verifies an offline bundle contained in the sig against the trusted Rekor publicKeys.
func VerifyEmbeddedSCT ¶
func VerifyEmbeddedSCT(ctx context.Context, chain []*x509.Certificate, pubKeys *TrustedTransparencyLogPubKeys) error
VerifyEmbeddedSCT verifies an embedded SCT in a certificate.
func VerifyImageAttestation ¶ added in v2.2.0
func VerifyImageAttestations ¶
func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
VerifyImageAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.
func VerifyImageSignature ¶
func VerifyImageSignature(ctx context.Context, sig oci.Signature, h v1.Hash, co *CheckOpts) (bundleVerified bool, err error)
VerifyImageSignature verifies a signature
func VerifyImageSignatures ¶
func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
VerifyImageSignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error. Note that if co.ExperimentlOCI11 is set, we will attempt to verify signatures using the experimental OCI 1.1 behavior.
func VerifyLocalImageAttestations ¶
func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
VerifyLocalImageAttestations verifies attestations from a saved, local image, without any network calls, returning the verified attestations. If there were no valid signatures, we return an error.
func VerifyLocalImageSignatures ¶
func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
VerifyLocalImageSignatures verifies signatures from a saved, local image, without any network calls, returning the verified signatures. If there were no valid signatures, we return an error.
func VerifyRFC3161Timestamp ¶
VerifyRFC3161Timestamp verifies that the timestamp in sig is correctly signed, and if so, returns the timestamp value. It returns (nil, nil) if there is no timestamp, or (nil, err) if there is an invalid timestamp or if no root is provided with a timestamp.
func VerifySCT ¶
func VerifySCT(_ context.Context, certPEM, chainPEM, rawSCT []byte, pubKeys *TrustedTransparencyLogPubKeys) error
VerifySCT verifies SCTs against the Fulcio CT log public key.
The SCT is a `Signed Certificate Timestamp`, which promises that the certificate issued by Fulcio was also added to the public CT log within some defined time period.
VerifySCT can verify an SCT list embedded in the certificate, or a detached SCT provided by Fulcio.
Note that we can't pass in the CheckOpts here which has both RawSCT and CTLogPubKeys due to import cycle, so they are pulled out from the struct to arguments here.
By default the public keys comes from TUF, but you can override this for test purposes by using an env variable `SIGSTORE_CT_LOG_PUBLIC_KEY_FILE`. If using an alternate, the file can be PEM, or DER format.
func VerifyTLogEntryOffline ¶
func VerifyTLogEntryOffline(ctx context.Context, e *models.LogEntryAnon, rekorPubKeys *TrustedTransparencyLogPubKeys) error
VerifyTLogEntryOffline verifies a TLog entry against a map of trusted rekorPubKeys indexed by log id.
Types ¶
type AttestationPayload ¶
type AttestationPayload struct { PayloadType string `json:"payloadType"` PayLoad string `json:"payload"` Signatures []Signatures `json:"signatures"` }
func FetchAttestations ¶ added in v2.1.0
func FetchAttestations(se oci.SignedEntity, predicateType string) ([]AttestationPayload, error)
type CertExtensions ¶
type CertExtensions struct {
Cert *x509.Certificate
}
func (*CertExtensions) GetCertExtensionGithubWorkflowName ¶
func (ce *CertExtensions) GetCertExtensionGithubWorkflowName() string
GetCertExtensionGithubWorkflowName returns the GitHub Workflow Name for a Certificate
func (*CertExtensions) GetCertExtensionGithubWorkflowRef ¶
func (ce *CertExtensions) GetCertExtensionGithubWorkflowRef() string
GetCertExtensionGithubWorkflowRef returns the GitHub Workflow Ref for a Certificate
func (*CertExtensions) GetCertExtensionGithubWorkflowRepository ¶
func (ce *CertExtensions) GetCertExtensionGithubWorkflowRepository() string
GetCertExtensionGithubWorkflowRepository returns the GitHub Workflow Repository for a Certificate
func (*CertExtensions) GetCertExtensionGithubWorkflowTrigger ¶
func (ce *CertExtensions) GetCertExtensionGithubWorkflowTrigger() string
GetCertExtensionGithubWorkflowTrigger returns the GitHub Workflow Trigger for a Certificate
func (*CertExtensions) GetExtensionGithubWorkflowSha ¶
func (ce *CertExtensions) GetExtensionGithubWorkflowSha() string
GetExtensionGithubWorkflowSha returns the GitHub Workflow SHA for a Certificate
func (*CertExtensions) GetIssuer ¶
func (ce *CertExtensions) GetIssuer() string
GetIssuer returns the issuer for a Certificate
type CheckOpts ¶
type CheckOpts struct { // RegistryClientOpts are the options for interacting with the container registry. RegistryClientOpts []ociremote.Option // Annotations optionally specifies image signature annotations to verify. Annotations map[string]interface{} // ClaimVerifier, if provided, verifies claims present in the oci.Signature. ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error // RekorClient, if set, is used to make online tlog calls use to verify signatures and public keys. RekorClient *client.Rekor // RekorPubKeys, if set, is used to validate signatures on log entries from // Rekor. It is a map from LogID to crypto.PublicKey. LogID is // derived from the PublicKey (see RFC 6962 S3.2). // Note that even though the type is of crypto.PublicKey, Rekor only allows // for ecdsa.PublicKey: https://github.com/sigstore/cosign/issues/2540 RekorPubKeys *TrustedTransparencyLogPubKeys // SigVerifier is used to verify signatures. SigVerifier signature.Verifier // PKOpts are the options provided to `SigVerifier.PublicKey()`. PKOpts []signature.PublicKeyOption // RootCerts are the root CA certs used to verify a signature's chained certificate. RootCerts *x509.CertPool // IntermediateCerts are the optional intermediate CA certs used to verify a certificate chain. IntermediateCerts *x509.CertPool // CertGithubWorkflowTrigger is the GitHub Workflow Trigger name expected for a certificate to be valid. The empty string means any certificate can be valid. CertGithubWorkflowTrigger string // CertGithubWorkflowSha is the GitHub Workflow SHA expected for a certificate to be valid. The empty string means any certificate can be valid. CertGithubWorkflowSha string // CertGithubWorkflowName is the GitHub Workflow Name expected for a certificate to be valid. The empty string means any certificate can be valid. CertGithubWorkflowName string // CertGithubWorkflowRepository is the GitHub Workflow Repository expected for a certificate to be valid. The empty string means any certificate can be valid. CertGithubWorkflowRepository string // CertGithubWorkflowRef is the GitHub Workflow Ref expected for a certificate to be valid. The empty string means any certificate can be valid. CertGithubWorkflowRef string // IgnoreSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a // certificate transparency log. IgnoreSCT bool // Detached SCT. Optional, as the SCT is usually embedded in the certificate. SCT []byte // CTLogPubKeys, if set, is used to validate SCTs against those keys. // It is a map from log id to LogIDMetadata. It is a map from LogID to crypto.PublicKey. LogID is derived from the PublicKey (see RFC 6962 S3.2). CTLogPubKeys *TrustedTransparencyLogPubKeys // SignatureRef is the reference to the signature file. PayloadRef should always be specified as well (though it’s possible for a _some_ signatures to be verified without it, with a warning). SignatureRef string // PayloadRef is a reference to the payload file. Applicable only if SignatureRef is set. PayloadRef string // Identities is an array of Identity (Subject, Issuer) matchers that have // to be met for the signature to ve valid. Identities []Identity // Force offline verification of the signature Offline bool // Set of flags to verify an RFC3161 timestamp used for trusted timestamping // TSACertificate is the certificate used to sign the timestamp. Optional, if provided in the timestamp TSACertificate *x509.Certificate // TSARootCertificates are the set of roots to verify the TSA certificate TSARootCertificates []*x509.Certificate // TSAIntermediateCertificates are the set of intermediates for chain building TSAIntermediateCertificates []*x509.Certificate // IgnoreTlog skip tlog verification IgnoreTlog bool // The amount of maximum workers for parallel executions. // Defaults to 10. MaxWorkers int // Should the experimental OCI 1.1 behaviour be enabled or not. // Defaults to false. ExperimentalOCI11 bool }
CheckOpts are the options for checking signatures.
type ErrImageTagNotFound ¶ added in v2.1.0
type ErrImageTagNotFound struct {
// contains filtered or unexported fields
}
func (*ErrImageTagNotFound) Error ¶ added in v2.1.0
func (e *ErrImageTagNotFound) Error() string
func (*ErrImageTagNotFound) Unwrap ¶ added in v2.1.0
func (e *ErrImageTagNotFound) Unwrap() error
type ErrNoCertificateFoundOnSignature ¶ added in v2.1.0
type ErrNoCertificateFoundOnSignature struct {
// contains filtered or unexported fields
}
func (*ErrNoCertificateFoundOnSignature) Error ¶ added in v2.1.0
func (e *ErrNoCertificateFoundOnSignature) Error() string
func (*ErrNoCertificateFoundOnSignature) Unwrap ¶ added in v2.1.0
func (e *ErrNoCertificateFoundOnSignature) Unwrap() error
type ErrNoMatchingAttestations ¶ added in v2.1.0
type ErrNoMatchingAttestations struct {
// contains filtered or unexported fields
}
func (*ErrNoMatchingAttestations) Error ¶ added in v2.1.0
func (e *ErrNoMatchingAttestations) Error() string
func (*ErrNoMatchingAttestations) Unwrap ¶ added in v2.1.0
func (e *ErrNoMatchingAttestations) Unwrap() error
type ErrNoMatchingSignatures ¶ added in v2.1.0
type ErrNoMatchingSignatures struct {
// contains filtered or unexported fields
}
func (*ErrNoMatchingSignatures) Error ¶ added in v2.1.0
func (e *ErrNoMatchingSignatures) Error() string
func (*ErrNoMatchingSignatures) Unwrap ¶ added in v2.1.0
func (e *ErrNoMatchingSignatures) Unwrap() error
type ErrNoSignaturesFound ¶ added in v2.1.0
type ErrNoSignaturesFound struct {
// contains filtered or unexported fields
}
func (*ErrNoSignaturesFound) Error ¶ added in v2.1.0
func (e *ErrNoSignaturesFound) Error() string
func (*ErrNoSignaturesFound) Unwrap ¶ added in v2.1.0
func (e *ErrNoSignaturesFound) Unwrap() error
type Identity ¶
Identity specifies an issuer/subject to verify a signature against. Both IssuerRegExp/SubjectRegExp support regexp while Issuer/Subject are for strict matching.
type KeysBytes ¶
type KeysBytes struct { PrivateBytes []byte PublicBytes []byte // contains filtered or unexported fields }
TODO(jason): Move this to an internal package.
func GenerateKeyPair ¶
TODO(jason): Move this to an internal package.
func ImportKeyPair ¶
TODO(jason): Move this to the only place it's used in cmd/cosign/cli/importkeypair, and unexport it.
type LocalSignedPayload ¶
type LocalSignedPayload struct { Base64Signature string `json:"base64Signature"` Cert string `json:"cert,omitempty"` Bundle *bundle.RekorBundle `json:"rekorBundle,omitempty"` }
func FetchLocalSignedPayloadFromPath ¶
func FetchLocalSignedPayloadFromPath(path string) (*LocalSignedPayload, error)
FetchLocalSignedPayloadFromPath fetches a local signed payload from a path to a file
type PassFunc ¶
PassFunc is the function to be called to retrieve the signer password. If nil, then it assumes that no password is provided.
type Signatures ¶
type SignedPayload ¶
type SignedPayload struct { Base64Signature string Payload []byte Cert *x509.Certificate Chain []*x509.Certificate Bundle *bundle.RekorBundle RFC3161Timestamp *bundle.RFC3161Timestamp }
type TransparencyLogPubKey ¶
type TransparencyLogPubKey struct { PubKey crypto.PublicKey Status tuf.StatusKind }
TransparencyLogPubKey contains the ECDSA verification key and the current status of the key according to TUF metadata, whether it's active or expired.
type TrustedTransparencyLogPubKeys ¶
type TrustedTransparencyLogPubKeys struct { // A map of keys indexed by log ID Keys map[string]TransparencyLogPubKey }
This is a map of TransparencyLog public keys indexed by log ID that's used in verification.
func GetCTLogPubs ¶
func GetCTLogPubs(ctx context.Context) (*TrustedTransparencyLogPubKeys, error)
GetCTLogPubs retrieves trusted CTLog public keys from the embedded or cached TUF root. If expired, makes a network call to retrieve the updated targets. By default the public keys comes from TUF, but you can override this for test purposes by using an env variable `SIGSTORE_CT_LOG_PUBLIC_KEY_FILE`. If using an alternate, the file can be PEM, or DER format.
func GetRekorPubs ¶
func GetRekorPubs(ctx context.Context) (*TrustedTransparencyLogPubKeys, error)
GetRekorPubs retrieves trusted Rekor public keys from the embedded or cached TUF root. If expired, makes a network call to retrieve the updated targets. There are two Env variable that can be used to override this behaviour: SIGSTORE_REKOR_PUBLIC_KEY - If specified, location of the file that contains the Rekor Public Key on local filesystem
func NewTrustedTransparencyLogPubKeys ¶
func NewTrustedTransparencyLogPubKeys() TrustedTransparencyLogPubKeys
func (*TrustedTransparencyLogPubKeys) AddTransparencyLogPubKey ¶
func (t *TrustedTransparencyLogPubKeys) AddTransparencyLogPubKey(pemBytes []byte, status tuf.StatusKind) error
constructRekorPubkey returns a log ID and RekorPubKey from a given byte-array representing the PEM-encoded Rekor key and a status.
type VerificationError ¶
type VerificationError struct {
// contains filtered or unexported fields
}
VerificationError exists for backwards compatibility. Deprecated: see VerificationFailure.
func (*VerificationError) Error ¶
func (e *VerificationError) Error() string
type VerificationFailure ¶ added in v2.1.0
type VerificationFailure struct {
// contains filtered or unexported fields
}
VerificationFailure is the type of Go error that is used by cosign to surface errors actually related to verification (vs. transient, misconfiguration, transport, or authentication related issues).
func (*VerificationFailure) Error ¶ added in v2.1.0
func (e *VerificationFailure) Error() string
func (*VerificationFailure) Unwrap ¶ added in v2.1.0
func (e *VerificationFailure) Unwrap() error