Documentation ¶
Overview ¶
Package build contains the internal components used to implement the verifier.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ReleaseImplicitMetadata ¶
type ReleaseImplicitMetadata struct { OSV1 note.Verifier OSV2 note.Verifier AppV note.Verifier BootV note.Verifier RecoveryV note.Verifier AllV note.Verifiers Envs []string Cleanup func() }
ReleaseImplicitMetadata stores all of the information needed to reproduce and verify releases. This is all of the data that is not passed in-band with the release (i.e. is not in the Makefile or code). In order to be maximally useful this exposes its state as env variables, which is how they are consumed. Some of these point at files, which need to be cleaned up after usage. This cleanup must be done by the owner of this object via the cleanup function.
func NewReleaseImplicitMetadata ¶
func NewReleaseImplicitMetadata(logV, osV1, osV2, appV, bootV, recoveryV string) (*ReleaseImplicitMetadata, error)
type ReproducibleBuildVerifier ¶
type ReproducibleBuildVerifier struct {
// contains filtered or unexported fields
}
ReproducibleBuildVerifier checks out the source code referenced by a manifest and determines whether it can reproduce the final build artifacts.
func NewReproducibleBuildVerifier ¶
func NewReproducibleBuildVerifier(cleanup bool, tamago Tamago, metadata *ReleaseImplicitMetadata) (*ReproducibleBuildVerifier, error)
NewReproducibleBuildVerifier returns a ReproducibleBuildVerifier that will delete any temporary git repositories after use if cleanup is true, or leave them around for further investigation if false.
func (*ReproducibleBuildVerifier) Verify ¶
func (v *ReproducibleBuildVerifier) Verify(ctx context.Context, i uint64, manifest []byte) (bool, error)
Verify checks everything that can be checked about a manifest in isolation:
- That it is a valid note signed by the correct release signer
- That this note contains a valid manifest file
- That the binary committed to in the manifest file can be reproducibly built
Returns true if the build was successfully reproduced, false otherwise, or an error if the build process itself failed.