witness

package module

v0.4.0 Latest Latest Go to latest Published: May 14, 2024 License: Apache-2.0 Imports: 38 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/in-toto/go-witness

Links

Open Source Insights

README ¶

go-witness

A client library for Witness, written in Go.

Status

This library is currently pre-1.0 and therefore the API may be subject to breaking changes.

Features

Creation and signing of in-toto attestations
Verification of in-toto attestations and associated signatures with:
- Witness policy engine
- OPA Rego policy language
A growing list of attestor types defined under a common interface
A selection of attestation sources to search for attestation collections

Documentation

For more detail regarding the library itself, we recommend viewing pkg.go.dev. For the documentation of the witness project, please view the main witness repository.

Requirements

In order to effectively contribute to this library, you will need:

A Unix-compatible Operating System
GNU Make
Go 1.19

Running Tests

This repository uses Go tests for testing. You can run these tests by executing make test.

Documentation ¶

Index ¶

func Sign(r io.Reader, dataType string, w io.Writer, opts ...dsse.SignOption) error
func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelope, error)
type RunOption
type RunResult
- func Run(stepName string, opts ...RunOption) (RunResult, error)deprecated
- func RunWithExports(stepName string, opts ...RunOption) ([]RunResult, error)
type VerifyOption
type VerifyResult
- func Verify(ctx context.Context, policyEnvelope dsse.Envelope, ...) (VerifyResult, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Sign ¶

func Sign(r io.Reader, dataType string, w io.Writer, opts ...dsse.SignOption) error

func VerifySignature ¶

func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelope, error)

Types ¶

type RunOption ¶

type RunOption func(ro *runOptions)

func RunWithAttestationOpts ¶

func RunWithAttestationOpts(opts ...attestation.AttestationContextOption) RunOption

RunWithAttestationOpts takes in any AttestationContextOptions and forwards them to the context that Run creates

func RunWithAttestors ¶

func RunWithAttestors(attestors []attestation.Attestor) RunOption

RunWithAttestors defines which attestors should be run and added to the resulting AttestationCollection

func RunWithInsecure ¶ added in v0.4.0

func RunWithInsecure(insecure bool) RunOption

RunWithInsecure will allow attestations to be generated unsigned. If insecure is true, RunResult will not contain a signed DSSE envelope

func RunWithSigners ¶ added in v0.4.0

func RunWithSigners(signers ...cryptoutil.Signer) RunOption

RunWithSigners configures the signers that will be used to sign the DSSE envelope containing the generated attestation collection.

func RunWithTimestampers ¶

func RunWithTimestampers(ts ...timestamp.Timestamper) RunOption

RunWithTimestampers will timestamp any signatures created on the DSSE time envelope with the provided timestampers

type RunResult ¶

type RunResult struct {
	Collection     attestation.Collection
	SignedEnvelope dsse.Envelope
	AttestorName   string
}

RunResult contains the generated attestation collection as well as the signed DSSE envelope, if one was created.

func Run deprecated

func Run(stepName string, opts ...RunOption) (RunResult, error)

Deprecated: Use RunWithExports instead

func RunWithExports ¶ added in v0.4.0

func RunWithExports(stepName string, opts ...RunOption) ([]RunResult, error)

type VerifyOption ¶

type VerifyOption func(*verifyOptions)

func VerifyWithAttestorOptions ¶ added in v0.4.0

func VerifyWithAttestorOptions(opts ...policyverify.Option) VerifyOption

VerifyWithAttestorOptions forwards the provided options to the policyverify attestor.

func VerifyWithCollectionSource ¶

func VerifyWithCollectionSource(source source.Sourcer) VerifyOption

VerifyWithCollectionSource configures the policy engine's sources for signed attestation collections. For example: disk or archivista are two typical sources.

func VerifyWithPolicyCAIntermediates ¶ added in v0.2.3

func VerifyWithPolicyCAIntermediates(certs []*x509.Certificate) VerifyOption

func VerifyWithPolicyCARoots ¶ added in v0.2.2

func VerifyWithPolicyCARoots(certs []*x509.Certificate) VerifyOption

func VerifyWithPolicyCertConstraints ¶ added in v0.3.0

func VerifyWithPolicyCertConstraints(commonName string, dnsNames []string, emails []string, organizations []string, uris []string) VerifyOption

func VerifyWithPolicyFulcioCertExtensions ¶ added in v0.4.0

func VerifyWithPolicyFulcioCertExtensions(extensions certificate.Extensions) VerifyOption

func VerifyWithPolicyTimestampAuthorities ¶ added in v0.2.2

func VerifyWithPolicyTimestampAuthorities(verifiers []timestamp.TimestampVerifier) VerifyOption

func VerifyWithRunOptions ¶ added in v0.4.0

func VerifyWithRunOptions(opts ...RunOption) VerifyOption

VerifyWithRunOptions forwards the provided RunOptions to the Run function that Verify calls.

func VerifyWithSigners ¶ added in v0.4.0

func VerifyWithSigners(signers ...cryptoutil.Signer) VerifyOption

VerifyWithSigners will configure the provided signers to be used to sign a DSSE envelope with the resulting policyverify attestor. See VerifyWithRunOptions for additional options.

func VerifyWithSubjectDigests ¶

func VerifyWithSubjectDigests(subjectDigests []cryptoutil.DigestSet) VerifyOption

VerifyWithSubjectDigests configured the "seed" subject digests to start evaluating a policy. This is typically the digest of the software artifact or some other identifying digest.

type VerifyResult ¶ added in v0.4.0

type VerifyResult struct {
	RunResult
	VerificationSummary slsa.VerificationSummary
	StepResults         map[string]policy.StepResult
}

func Verify ¶

func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers []cryptoutil.Verifier, opts ...VerifyOption) (VerifyResult, error)

Verify verifies a set of attestations against a provided policy. The set of attestations that satisfy the policy will be returned if verifiation is successful.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
archivista
attestation
aws-iid
commandrun
environment
file
gcp-iit
git
github
gitlab
jwt
link
material
maven
oci
policyverify
product
sarif
slsa
cryptoutil
dsse
internal
attestors
policy
test
intoto
log
policy
registry
schemagen
signer
file
fulcio
kms
kms/aws
kms/gcp
spiffe
vault
slsa
source
timestamp

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL