The highest tagged major version is v2.

gcb

package

v1.4.1 Latest Latest Go to latest Published: Oct 8, 2022 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/slsa-framework/slsa-verifier

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type DigestSet
type GCBVerifier
- func GCBVerifierNew() *GCBVerifier
type Provenance
- func ProvenanceFromBytes(payload []byte) (*Provenance, error)
type ProvenanceBuilder
type ProvenanceComplete
type ProvenanceMaterial
type ProvenanceMetadata
type ProvenancePredicate
type ProvenanceRecipe

Constants ¶

View Source

const (
	// PredicateSLSAProvenance represents a build provenance for an artifact.
	PredicateSLSAProvenance = "https://slsa.dev/provenance/v0.1"
)

View Source

const VerifierName = "GCB"

Variables ¶

View Source

var GCBBuilderIDs = []string{
	"https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.2",
	"https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3",
}

Functions ¶

This section is empty.

Types ¶

type DigestSet ¶ added in v1.4.0

type DigestSet map[string]string

DigestSet contains a set of digests. It is represented as a map from algorithm name to lowercase hex-encoded value.

type GCBVerifier ¶

type GCBVerifier struct{}

func GCBVerifierNew ¶

func GCBVerifierNew() *GCBVerifier

func (*GCBVerifier) IsAuthoritativeFor ¶

func (v *GCBVerifier) IsAuthoritativeFor(builderIDName string) bool

IsAuthoritativeFor returns true of the verifier can verify provenance generated by the builderID.

func (*GCBVerifier) VerifyArtifact ¶

func (v *GCBVerifier) VerifyArtifact(ctx context.Context,
	provenance []byte, artifactHash string,
	provenanceOpts *options.ProvenanceOpts,
	builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyArtifact verifies provenance for an artifact.

func (*GCBVerifier) VerifyImage ¶

func (v *GCBVerifier) VerifyImage(ctx context.Context,
	provenance []byte, artifactImage string,
	provenanceOpts *options.ProvenanceOpts,
	builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyImage verifies provenance for an OCI image.

type Provenance ¶ added in v1.4.0

type Provenance struct {
	// contains filtered or unexported fields
}

func ProvenanceFromBytes ¶ added in v1.4.0

func ProvenanceFromBytes(payload []byte) (*Provenance, error)

func (*Provenance) GetVerifiedIntotoStatement ¶ added in v1.4.0

func (self *Provenance) GetVerifiedIntotoStatement() ([]byte, error)

func (*Provenance) VerifyBranch ¶ added in v1.4.0

func (self *Provenance) VerifyBranch(branch string) error

func (*Provenance) VerifyBuilder ¶ added in v1.4.0

func (self *Provenance) VerifyBuilder(builderOpts *options.BuilderOpts) (*utils.TrustedBuilderID, error)

VerifyBuilder verifies the builder in the DSSE payload: - in the recipe type - the recipe argument type - the predicate builder ID.

func (*Provenance) VerifyIntotoHeaders ¶ added in v1.4.0

func (self *Provenance) VerifyIntotoHeaders() error

VerifyIntotoHeaders verifies the headers are intoto format and the expected slsa predicate.

func (*Provenance) VerifyMetadata ¶ added in v1.4.0

func (self *Provenance) VerifyMetadata(provenanceOpts *options.ProvenanceOpts) error

VerifyMetadata verifies additional metadata contained in the provenance, which is not part of the DSSE payload or headers. It is part of the payload returned by `gcloud artifacts docker images describe image:tag --format json --show-provenance`.

func (*Provenance) VerifySignature ¶ added in v1.4.0

func (self *Provenance) VerifySignature() error

VerifySignature verifiers the signature for a provenance.

func (*Provenance) VerifySourceURI ¶ added in v1.4.0

func (self *Provenance) VerifySourceURI(expectedSourceURI string, builderID utils.TrustedBuilderID) error

Verify source URI in provenance statement.

func (*Provenance) VerifySubjectDigest ¶ added in v1.4.0

func (self *Provenance) VerifySubjectDigest(expectedHash string) error

VerifySubjectDigest verifies the sha256 of the subject.

func (*Provenance) VerifySummary ¶ added in v1.4.0

func (self *Provenance) VerifySummary(provenanceOpts *options.ProvenanceOpts) error

VerifySummary verifies the content of the `image_summary` structure returned by `gcloud artifacts docker images describe image:tag --format json --show-provenance`.

func (*Provenance) VerifyTag ¶ added in v1.4.0

func (self *Provenance) VerifyTag(tag string) error

func (*Provenance) VerifyTextProvenance ¶ added in v1.4.0

func (self *Provenance) VerifyTextProvenance() error

VerifyTextProvenance verifies the text provenance prepended to the provenance.This text mirrors the DSSE payload but is human-readable.

func (*Provenance) VerifyVersionedTag ¶ added in v1.4.0

func (self *Provenance) VerifyVersionedTag(tag string) error

type ProvenanceBuilder ¶ added in v1.4.0

type ProvenanceBuilder struct {
	ID string `json:"id"`
}

ProvenanceBuilder idenfifies the entity that executed the build steps.

type ProvenanceComplete ¶ added in v1.4.0

type ProvenanceComplete struct {
	Arguments   bool `json:"arguments"`
	Environment bool `json:"environment"`
	Materials   bool `json:"materials"`
}

ProvenanceComplete indicates wheter the claims in build/recipe are complete. For in depth information refer to the specifictaion: https://github.com/in-toto/attestation/blob/v0.1.0/spec/predicates/provenance.md

type ProvenanceMaterial ¶ added in v1.4.0

type ProvenanceMaterial struct {
	URI    string    `json:"uri"`
	Digest DigestSet `json:"digest,omitempty"`
}

ProvenanceMaterial defines the materials used to build an artifact.

type ProvenanceMetadata ¶ added in v1.4.0

type ProvenanceMetadata struct {
	// Use pointer to make sure that the abscense of a time is not
	// encoded as the Epoch time.
	BuildStartedOn  *time.Time         `json:"buildStartedOn,omitempty"`
	BuildFinishedOn *time.Time         `json:"buildFinishedOn,omitempty"`
	Completeness    ProvenanceComplete `json:"completeness"`
	Reproducible    bool               `json:"reproducible"`
}

ProvenanceMetadata contains metadata for the built artifact.

type ProvenancePredicate ¶ added in v1.4.0

type ProvenancePredicate struct {
	Builder   ProvenanceBuilder    `json:"builder"`
	Recipe    ProvenanceRecipe     `json:"recipe"`
	Metadata  *ProvenanceMetadata  `json:"metadata,omitempty"`
	Materials []ProvenanceMaterial `json:"materials,omitempty"`
}

ProvenancePredicate is the provenance predicate definition.

type ProvenanceRecipe ¶ added in v1.4.0

type ProvenanceRecipe struct {
	Type string `json:"type"`
	// DefinedInMaterial can be sent as the null pointer to indicate that
	// the value is not present.
	// DefinedInMaterial *int        `json:"definedInMaterial,omitempty"`
	EntryPoint  string      `json:"entryPoint"`
	Arguments   interface{} `json:"arguments,omitempty"`
	Environment interface{} `json:"environment,omitempty"`
}

ProvenanceRecipe describes the actions performed by the builder.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
keys

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL