sign

package
v0.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 23, 2024 License: Apache-2.0 Imports: 33 Imported by: 4

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Options 

type Options struct {
	// Logger is the custom logger to be used for message printing.
	Logger *logrus.Logger

	// Verbose can be used to enable a higher log verbosity
	Verbose bool

	// Timeout is the default timeout for network operations.
	// Defaults to 3 minutes
	Timeout time.Duration

	AllowInsecure bool

	// AttachSignature tells the signer to attach or not the new
	// signature to its image
	AttachSignature bool

	OutputSignaturePath   string
	OutputCertificatePath string
	Annotations           []string
	PrivateKeyPath        string
	PublicKeyPath         string
	IgnoreSCT             bool
	IgnoreTlog            bool
	CertIdentity          string
	CertIdentityRegexp    string
	CertOidcIssuer        string
	CertOidcIssuerRegexp  string

	// Identity token for keyless signing
	IdentityToken string

	// EnableTokenProviders tells signer to try to get a
	// token from the cosign providers when needed.
	EnableTokenProviders bool

	// PassFunc is a function that returns a slice of bytes that will be used
	// as a password for decrypting the cosign key. It is used only if PrivateKeyPath
	// is provided (i.e. it's not used for keyless signing).
	// Defaults to nil, which acts as having no password provided at all.
	PassFunc cosign.PassFunc

	// MaxRetries indicates the number of times to retry operations
	// when transient failures occur
	MaxRetries uint

	// The amount of maximum workers for parallel executions.
	// Defaults to 100.
	MaxWorkers uint

	// CacheTimeout is the timeout for the internal caches.
	// Defaults to 2 hours.
	CacheTimeout time.Duration

	// MaxCacheItems is the maximumg amount of items the internal caches can hold.
	// Defaults to 10000.
	MaxCacheItems uint64

	// If a multi-arch image is specified, additionally sign each discrete image.
	// Defaults to false.
	Recursive bool

	// SignContainerIdentity can be used to manually set the
	// .critical.docker-reference field for the signed identity, which is
	// useful when image proxies are being used where the pull reference should
	// match the signature
	SignContainerIdentity string
}

Options can be used to modify the behavior of the signer.

func Default 

func Default() *Options

Default returns a default Options instance.

func (*Options) ToCosignRootOptions added in v0.8.0 

func (o *Options) ToCosignRootOptions() options.RootOptions

type SignedFile added in v0.9.2 

type SignedFile struct {
	// contains filtered or unexported fields
}

SignedFile contains additional metadata from the signing and verification process.

func (*SignedFile) CertificatePath added in v0.9.2 

func (s *SignedFile) CertificatePath() string

CertificatePath returns the path to the Certificate output of the signed file.

func (*SignedFile) Path added in v0.9.2 

func (s *SignedFile) Path() string

Path returns the path hash of the signed file.

func (*SignedFile) SHA256 added in v0.9.2 

func (s *SignedFile) SHA256() string

SHA256 returns the SHA256 hash of the signed file.

func (*SignedFile) SignaturePath added in v0.9.2 

func (s *SignedFile) SignaturePath() string

SignaturePath returns the path to the Signature output of the signed file.

type SignedImage added in v0.9.2 

type SignedImage struct {
	// contains filtered or unexported fields
}

SignedImage contains additional metadata from the signing and verification process.

func (*SignedImage) Digest added in v0.9.2 

func (s *SignedImage) Digest() string

Digest returns the digest of the signed object.

func (*SignedImage) Reference added in v0.9.2 

func (s *SignedImage) Reference() string

Reference returns the OCI registry reference of the object.

func (*SignedImage) Signature added in v0.9.2 

func (s *SignedImage) Signature() string

Signature returns the signature of the signed object.

type SignedObject 

type SignedObject struct {
	// contains filtered or unexported fields
}

SignedObject contains additional metadata from the signing and verification process.

func (*SignedObject) File added in v0.9.2 

func (s *SignedObject) File() *SignedFile

File returns the file of the signed object and nil if it's an image.

func (*SignedObject) Image added in v0.9.2 

func (s *SignedObject) Image() *SignedImage

Image returns the image of the signed object and nil if it's a file.

type Signer 

type Signer struct {
	// contains filtered or unexported fields
}

Signer is the main structure to be used by API consumers.

func New 

func New(options *Options) *Signer

New returns a new Signer instance.

func (*Signer) ImagesSigned added in v0.9.4 

func (s *Signer) ImagesSigned(ctx context.Context, refs ...string) (*sync.Map, error)

ImagesSigned verifies if the provided image references are signed. It returns a sync map where the key is the ref and the value is a boolean which indicates if the image is signed or not. The method runs highly parallel.

func (*Signer) IsFileSigned added in v0.9.2 

func (s *Signer) IsFileSigned(ctx context.Context, path string) (bool, error)

IsFileSigned takes an path reference and return true if there is a signature available for it. It makes no signature verification, only checks to see if there is a TLog to be found on Rekor.

func (*Signer) IsImageSigned 

func (s *Signer) IsImageSigned(imageRef string) (bool, error)

IsImageSigned takes an image reference and returns true if there are signatures available for it. It makes no signature verification, only checks to see if more than one signature is available.

func (*Signer) SetImpl 

func (s *Signer) SetImpl(impl impl)

SetImpl can be used to set the internal implementation, which is mainly used for testing.

func (*Signer) SignFile 

func (s *Signer) SignFile(path string) (*SignedObject, error)

SignFile can be used to sign any provided file path by using keyless signing.

func (*Signer) SignImage 

func (s *Signer) SignImage(reference string) (object *SignedObject, err error)

SignImage can be used to sign any provided container image reference by using keyless signing.

func (*Signer) SignImageWithOptions added in v0.9.4 

func (s *Signer) SignImageWithOptions(options *Options, reference string) (object *SignedObject, err error)

SignImageWithOptions can be used to sign any provided container image reference by using the provided custom options.

func (*Signer) UploadBlob 

func (s *Signer) UploadBlob(path string) error

func (*Signer) VerifyFile 

func (s *Signer) VerifyFile(path string, ignoreTLog bool) (*SignedObject, error)

VerifyFile can be used to validate any provided file path. If no signed entry is found we skip the file without errors.

func (*Signer) VerifyImage 

func (s *Signer) VerifyImage(reference string) (*SignedObject, error)

VerifyImage can be used to validate any provided container image reference by using keyless signing. It ignores unsigned images.

func (*Signer) VerifyImages added in v0.9.4 

func (s *Signer) VerifyImages(refs ...string) (*sync.Map, error)

VerifyImages can be used to validate any provided container image reference list by using keyless signing. It ignores unsigned images. Returns a sync map where the key is the ref (string) and the value is the *SignedObject

Source Files

View all Source files

Directories

Path Synopsis
Code generated by counterfeiter.
 Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.