verify

package

v0.0.0-...-52527b8 Latest Latest Go to latest Published: Apr 26, 2024 License: Apache-2.0 Imports: 29 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/openshift/library-go

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GetSignaturesAsConfigmap(digest string, signatures [][]byte) (*corev1.ConfigMap, error)
type Interface
- func NewFromManifests(manifests []manifest.Manifest, clientBuilder sigstore.HTTPClient) (Interface, error)
- func NewReleaseVerifier(verifiers map[string]openpgp.EntityList, store store.Store) Interface
type PersistentSignatureStore
type SignatureSource
type StorePersister
- func NewSignatureStorePersister(dst PersistentSignatureStore, src SignatureSource) *StorePersister
- func (p *StorePersister) Run(ctx context.Context, interval time.Duration)

Constants ¶

View Source

const (
	// ReleaseAnnotationConfigMapVerifier is an annotation set on a config map in the
	// release payload to indicate that this config map controls signing for the payload.
	// Only the first config map within the payload should be used, regardless of whether
	// it has data. See NewFromConfigMapData for more.
	ReleaseAnnotationConfigMapVerifier = "release.openshift.io/verification-config-map"
)

Variables ¶

This section is empty.

Functions ¶

func GetSignaturesAsConfigmap ¶

func GetSignaturesAsConfigmap(digest string, signatures [][]byte) (*corev1.ConfigMap, error)

GetSignaturesAsConfigmap returns the given signatures in a config map. Uses util.DigestToKeyPrefix to replace colon with dash when saving digest to config map.

Types ¶

type Interface ¶

type Interface interface {
	// Verify should return nil if the provided release digest has sufficient signatures to be considered
	// valid. It should return an error in all other cases.
	Verify(ctx context.Context, releaseDigest string) error

	// Signatures returns a copy of any cached signatures that have been validated
	// so far. It may return no signatures.
	Signatures() map[string][][]byte

	// Verifiers returns a copy of the verifiers in this payload.
	Verifiers() map[string]openpgp.EntityList

	// AddStore adds additional stores for signature verification.
	AddStore(additionalStore store.Store)
}

Interface performs verification of the provided content. The default implementation in this package uses the container signature format defined at https://github.com/containers/image to authenticate that a given release image digest has been signed by a trusted party.

var Reject Interface = rejectVerifier{}

Reject fails always fails verification.

func NewFromManifests ¶

func NewFromManifests(manifests []manifest.Manifest, clientBuilder sigstore.HTTPClient) (Interface, error)

NewFromManifests fetches the first config map in the manifest list with the correct annotation. It returns an error if the data is not valid, or no verifier if a config map wth the required annotation is not found. See the verify package for more details on the algorithm for verification. If the annotation is set, a verifier or error is always returned.

func NewReleaseVerifier ¶

func NewReleaseVerifier(verifiers map[string]openpgp.EntityList, store store.Store) Interface

NewReleaseVerifier creates a release verifier for the provided inputs.

type PersistentSignatureStore ¶

type PersistentSignatureStore interface {
	// Store saves the provided signatures or return an error. If context
	// reaches its deadline the store should be cancelled.
	Store(ctx context.Context, signatures map[string][][]byte) error
}

PersistentSignatureStore is a store that can save signatures for later recovery.

type SignatureSource ¶

type SignatureSource interface {
	// Signatures returns a list of valid signatures for release digests.
	Signatures() map[string][][]byte
}

SignatureSource provides a set of signatures by digest to save.

type StorePersister ¶

type StorePersister struct {
	// contains filtered or unexported fields
}

StorePersister saves signatures into store periodically.

func NewSignatureStorePersister ¶

func NewSignatureStorePersister(dst PersistentSignatureStore, src SignatureSource) *StorePersister

NewSignatureStorePersister creates an instance that can save signatures into the destination store.

func (*StorePersister) Run ¶

func (p *StorePersister) Run(ctx context.Context, interval time.Duration)

Run flushes signatures to the provided store every interval or until the context is finished. After context is done, it runs one more time to attempt to flush the current state. It does not return until that last store completes.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
store Package store defines generic interfaces for signature stores.	Package store defines generic interfaces for signature stores.
configmap
memory Package memory implements an in-memory signature store.	Package memory implements an in-memory signature store.
parallel Package parallel combines several signature stores in a single store.	Package parallel combines several signature stores in a single store.
serial Package serial combines several signature stores in a single store.	Package serial combines several signature stores in a single store.
sigstore Package sigstore retrieves signatures using the sig-store protocol described in [1].	Package sigstore retrieves signatures using the sig-store protocol described in [1].
util

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL