cosign

package

v1.3.4 Latest Latest Go to latest Published: Dec 27, 2021 License: Apache-2.0 Imports: 48 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/venafi-iw/cosign

Documentation ¶

Index ¶

Constants
func FindTLogEntriesByPayload(ctx context.Context, rekorClient *client.Rekor, payload []byte) (uuids []string, err error)
func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor, b64Sig string, ...) (uuid string, index int64, err error)
func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
func GetRekorPub(ctx context.Context) ([]byte, error)
func GetTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)
func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error
func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)
func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)
func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error
func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature, payload []byte, ...) (*models.LogEntryAnon, error)
func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error
func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error)
func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
func VerifySET(bundlePayload oci.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error
type AttestationPayload
- func FetchAttestationsForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]AttestationPayload, error)
type CheckOpts
type Keys
- func GenerateKeyPair(pf PassFunc) (*Keys, error)
- func (k *Keys) Password() []byte
type PassFunc
type Signatures
type SignedPayload
- func FetchSignaturesForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]SignedPayload, error)

Constants ¶

View Source

const (
	SignatureTagSuffix   = ".sig"
	SBOMTagSuffix        = ".sbom"
	AttestationTagSuffix = ".att"
)

View Source

const (
	Signature   = "signature"
	SBOM        = "sbom"
	Attestation = "attestation"
)

View Source

const (
	PrivakeKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"

	BundleKey = static.BundleAnnotationKey
)

Variables ¶

This section is empty.

Functions ¶

func FindTLogEntriesByPayload ¶

func FindTLogEntriesByPayload(ctx context.Context, rekorClient *client.Rekor, payload []byte) (uuids []string, err error)

func FindTlogEntry ¶

func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)

func GeneratePrivateKey ¶

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func GetRekorPub ¶

func GetRekorPub(ctx context.Context) ([]byte, error)

GetRekorPub retrieves the rekor public key from the embedded or cached TUF root. If expired, makes a network call to retrieve the updated target.

func GetTlogEntry ¶

func GetTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)

func IntotoSubjectClaimVerifier ¶

func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error

IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.

func LoadECDSAPrivateKey ¶

func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error)

func PemToECDSAKey ¶

func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)

func SimpleClaimVerifier ¶

func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.

func TLogUpload ¶

func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUpload will upload the signature, public key and payload to the transparency log.

func TLogUploadInTotoAttestation ¶

func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.

func TrustedCert ¶

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func VerifyBundle ¶

func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error)

func VerifyImageAttestations ¶

func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)

VerifyAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.

func VerifyImageSignatures ¶

func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifyImageSignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifyLocalImageAttestations ¶

func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)

VerifyLocalImageAttestations verifies attestations from a saved, local image, without any network calls, returning the verified attestations. If there were no valid signatures, we return an error.

func VerifyLocalImageSignatures ¶

func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifyLocalImageSignatures verifies signatures from a saved, local image, without any network calls, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifySET ¶

func VerifySET(bundlePayload oci.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error

Types ¶

type AttestationPayload ¶

type AttestationPayload struct {
	PayloadType string       `json:"payloadType"`
	PayLoad     string       `json:"payload"`
	Signatures  []Signatures `json:"signatures"`
}

func FetchAttestationsForReference ¶

func FetchAttestationsForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]AttestationPayload, error)

type CheckOpts ¶

type CheckOpts struct {
	// RegistryClientOpts are the options for interacting with the container registry.
	RegistryClientOpts []ociremote.Option

	// Annotations optionally specifies image signature annotations to verify.
	Annotations map[string]interface{}
	// ClaimVerifier, if provided, verifies claims present in the oci.Signature.
	ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

	// RekorClient, if set, is used to use to verify signatures and public keys.
	RekorClient *client.Rekor

	// SigVerifier is used to verify signatures.
	SigVerifier signature.Verifier
	// PKOpts are the options provided to `SigVerifier.PublicKey()`.
	PKOpts []signature.PublicKeyOption

	// RootCerts are the root CA certs used to verify a signature's chained certificate.
	RootCerts *x509.CertPool
	// CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertEmail string

	// SignatureRef is the reference to the signature file
	SignatureRef string
}

CheckOpts are the options for checking signatures.

type Keys ¶

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

func GenerateKeyPair ¶

func GenerateKeyPair(pf PassFunc) (*Keys, error)

func (*Keys) Password ¶

func (k *Keys) Password() []byte

type PassFunc ¶

type PassFunc func(bool) ([]byte, error)

type Signatures ¶

type Signatures struct {
	KeyID string `json:"keyid"`
	Sig   string `json:"sig"`
}

type SignedPayload ¶

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *oci.Bundle
}

func FetchSignaturesForReference ¶

func FetchSignaturesForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]SignedPayload, error)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
attestation
cue
git
github
gitlab
kubernetes
webhook
pivkey
pkcs11key
rego
remote
tuf

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL