gha

package
v2.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 25, 2024 License: Apache-2.0 Imports: 53 Imported by: 0

Documentation

Index

Constants

View Source 
const VerifierName = "GHA"

Variables

View Source 
var (
	ErrorMismatchSignature       = errors.New("bundle tlog entry does not match signature")
	ErrorUnexpectedEntryType     = errors.New("unexpected tlog entry type")
	ErrorMissingCertInBundle     = errors.New("missing signing certificate in bundle")
	ErrorUnexpectedBundleContent = errors.New("expected DSSE bundle content")
)

Bundle specific errors.

View Source 
var JReleaserRepository = httpsGithubCom + jReleaserActionRepository

Functions

func EnvelopeFromBytes 

func EnvelopeFromBytes(payload []byte) (env *dsselib.Envelope, err error)

EnvelopeFromBytes reads a DSSE envelope from the given payload.

func IsSigstoreBundle added in v2.1.0 

func IsSigstoreBundle(bytes []byte) bool

IsSigstoreBundle checks if the provenance is a Sigstore bundle.

func VerifyBranch 

func VerifyBranch(prov iface.Provenance, expectedBranch string) error

VerifyBranch verifies that the source branch in the provenance matches the expected value.

func VerifyBuilderIdentity added in v2.1.0 

func VerifyBuilderIdentity(id *WorkflowIdentity,
	builderOpts *options.BuilderOpts,
	defaultBuilders map[string]bool,
) (*utils.TrustedBuilderID, bool, error)

VerifyBuilderIdentity verifies the signing certificate information. Builder IDs are verified against an expected builder ID provided in the builerOpts, or against the set of defaultBuilders provided. The identiy in the certificate corresponds to a GitHub workflow's path.

func VerifyCertficateSourceRepository added in v2.1.0 

func VerifyCertficateSourceRepository(id *WorkflowIdentity,
	sourceRepo string,
) error

VerifyCertficateSourceRepository verifies the source repository.

func VerifyNpmPackageProvenance added in v2.1.0 

func VerifyNpmPackageProvenance(env *dsselib.Envelope, workflow *WorkflowIdentity,
	provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, isTrustedBuilder bool,
) error

VerifyNpmPackageProvenance verifies provenance for an npm package.

func VerifyProvenance 

func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool,
	expectedID *string) error

VerifyProvenance verifies the provenance for the given DSSE envelope.

func VerifyProvenanceCommonOptions added in v2.1.0 

func VerifyProvenanceCommonOptions(prov iface.Provenance, provenanceOpts *options.ProvenanceOpts) error

VerifyProvenanceCommonOptions verifies the given provenance.

func VerifyTag 

func VerifyTag(prov iface.Provenance, expectedTag string) error

VerifyTag verifies that the source tag in the provenance matches the expected value.

func VerifyVersionedTag 

func VerifyVersionedTag(prov iface.Provenance, expectedTag string) error

VerifyVersionedTag verifies that the source tag in the provenance matches the expected semver value.

func VerifyWorkflowInputs 

func VerifyWorkflowInputs(prov iface.Provenance, inputs map[string]string) error

VerifyWorkflowInputs verifies that the workflow inputs in the provenance match the expected values.

Types

type BundleBytes added in v2.1.0 

type BundleBytes []byte

func (*BundleBytes) UnmarshalJSON added in v2.1.0 

func (b *BundleBytes) UnmarshalJSON(data []byte) error

type GHAVerifier 

type GHAVerifier struct{}

func GHAVerifierNew 

func GHAVerifierNew() *GHAVerifier

func (*GHAVerifier) IsAuthoritativeFor 

func (v *GHAVerifier) IsAuthoritativeFor(builderID string) bool

IsAuthoritativeFor returns true of the verifier can verify provenance generated by the builderID.

func (*GHAVerifier) VerifyArtifact 

func (v *GHAVerifier) VerifyArtifact(ctx context.Context,
	provenance []byte, artifactHash string,
	provenanceOpts *options.ProvenanceOpts,
	builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyArtifact verifies provenance for an artifact.

func (*GHAVerifier) VerifyImage 

func (v *GHAVerifier) VerifyImage(ctx context.Context,
	provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts,
	builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyImage verifies provenance for an OCI image.

func (*GHAVerifier) VerifyNpmPackage added in v2.1.0 

func (v *GHAVerifier) VerifyNpmPackage(ctx context.Context,
	attestations []byte, tarballHash string,
	provenanceOpts *options.ProvenanceOpts,
	builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyNpmPackage verifies an npm package tarball.

type Hosted added in v2.3.0 

type Hosted int
const (
	HostedSelf Hosted = iota
	HostedGitHub
)

type Npm added in v2.1.0 

type Npm struct {
	// contains filtered or unexported fields
}

func NpmNew added in v2.1.0 

func NpmNew(ctx context.Context, root *TrustedRoot, attestationBytes []byte) (*Npm, error)

func (*Npm) ProvenanceEnvelope added in v2.1.0 

func (n *Npm) ProvenanceEnvelope() *dsse.Envelope

func (*Npm) ProvenanceLeafCertificate added in v2.1.0 

func (n *Npm) ProvenanceLeafCertificate() *x509.Certificate

type SignedAttestation 

type SignedAttestation struct {
	// The signed DSSE envelope
	Envelope *dsselib.Envelope
	// The signing certificate
	SigningCert *x509.Certificate
	// The associated verified Rekor entry
	RekorEntry *models.LogEntryAnon
}

SignedAttestation contains a signed DSSE envelope and its associated signing certificate.

func GetValidSignedAttestationWithCert 

func GetValidSignedAttestationWithCert(rClient *client.Rekor,
	provenance []byte, trustedRoot *TrustedRoot,
) (*SignedAttestation, error)

GetValidSignedAttestationWithCert finds and validates the matching entry UUIDs with the full intoto attestation. The attestation generated by the slsa-github-generator libraries contain a signing certificate.

func SearchValidSignedAttestation 

func SearchValidSignedAttestation(ctx context.Context, artifactHash string, provenance []byte,
	rClient *client.Rekor, trustedRoot *TrustedRoot,
) (*SignedAttestation, error)

SearchValidSignedAttestation searches for a valid signing certificate using the Rekor Redis search index by using the artifact digest.

func VerifyProvenanceBundle added in v2.1.0 

func VerifyProvenanceBundle(ctx context.Context, bundleBytes []byte,
	trustedRoot *TrustedRoot) (
	*SignedAttestation, error,
)

VerifyProvenanceBundle verifies the DSSE envelope using the offline Rekor bundle and returns the verified DSSE envelope containing the provenance and the signing certificate given the provenance.

func VerifyProvenanceSignature 

func VerifyProvenanceSignature(ctx context.Context, trustedRoot *TrustedRoot,
	rClient *client.Rekor,
	provenance []byte, artifactHash string) (
	*SignedAttestation, error,
)

VerifyProvenanceSignature returns the verified DSSE envelope containing the provenance and the signing certificate given the provenance and artifact hash.

type TrustedRoot added in v2.1.0 

type TrustedRoot struct {
	// RekorPubKeys is a map from log ID to public keys containing metadata.
	RekorPubKeys *cosign.TrustedTransparencyLogPubKeys

	// SctPubKeys is a map from log ID to public keys for the SCT.
	CTPubKeys *cosign.TrustedTransparencyLogPubKeys

	// Certificate pool for Fulcio roots.
	FulcioRoot *x509.CertPool

	// Certificate pool for Fulcio intermediates
	FulcioIntermediates *x509.CertPool
}

TrustedRoot struct that holds the verification material necessary to validate items. MUST be populated out of band.

func TrustedRootSingleton added in v2.3.0 

func TrustedRootSingleton(ctx context.Context) (*TrustedRoot, error)

type WorkflowIdentity 

type WorkflowIdentity struct {
	// The source repository
	SourceRepository string
	// The commit SHA where the workflow was triggered.
	SourceSha1 string
	// Ref of the source.
	SourceRef *string
	// ID of the source repository.
	SourceID *string
	//  Source owner ID of repository.
	SourceOwnerID *string

	// Workflow path OIDC subject - ref of reuseable workflow or trigger workflow.
	SubjectWorkflow *url.URL
	// Subject commit sha1.
	SubjectSha1 *string
	// Hosted status of the subject.
	SubjectHosted *Hosted

	// BuildTrigger
	BuildTrigger string
	// Build config path, i.e. the trigger workflow.
	BuildConfigPath *string

	// Run ID
	RunID *string
	// Issuer
	Issuer string
}

WorkflowIdentity is a identity captured from a Fulcio certificate. See https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md.

func GetWorkflowInfoFromCertificate 

func GetWorkflowInfoFromCertificate(cert *x509.Certificate) (*WorkflowIdentity, error)

GetWorkflowFromCertificate gets the workflow identity from the Fulcio authenticated content. See https://github.com/sigstore/fulcio/blob/e763d76e3f7786b52db4b27ab87dc446da24895a/pkg/certificate/extensions.go. https://github.com/golangci/golangci-lint/issues/741#issuecomment-784171870.

func (*WorkflowIdentity) SubjectWorkflowName added in v2.4.0 

func (id *WorkflowIdentity) SubjectWorkflowName() string

SubjectWorkflowName returns the subject workflow without the git ref.

func (*WorkflowIdentity) SubjectWorkflowPath added in v2.4.0 

func (id *WorkflowIdentity) SubjectWorkflowPath() string

SubjectWorkflowPath returns the subject workflow without the server url.

func (*WorkflowIdentity) SubjectWorkflowRef added in v2.3.0 

func (id *WorkflowIdentity) SubjectWorkflowRef() string

SubjectWorkflowRef returns the ref for the subject workflow.

Source Files

View all Source files

Directories

Path Synopsis
common
iface
v0.2
v1.0

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.