Documentation
¶
Overview ¶
Package signature implements signing and verification of pipeline steps.
Index ¶
- Constants
- func Sign(_ context.Context, key jwk.Key, sf SignedFielder, opts ...Option) (*pipeline.Signature, error)
- func SignSteps(ctx context.Context, s pipeline.Steps, key jwk.Key, repoURL string, ...) error
- func Verify(ctx context.Context, s *pipeline.Signature, keySet jwk.Set, sf SignedFielder, ...) error
- type CommandStepWithInvariants
- type Logger
- type Option
- type SignedFielder
Constants ¶
const EnvNamespacePrefix = "env::"
EnvNamespacePrefix is the string that prefixes all fields in the "env" namespace. This is used to separate signed data that came from the environment from data that came from an object.
Variables ¶
This section is empty.
Functions ¶
func Sign ¶
func Sign(_ context.Context, key jwk.Key, sf SignedFielder, opts ...Option) (*pipeline.Signature, error)
Sign computes a new signature for an environment (env) combined with an object containing values (sf) using a given key.
func SignSteps ¶
func SignSteps(ctx context.Context, s pipeline.Steps, key jwk.Key, repoURL string, opts ...Option) error
SignSteps adds signatures to each command step (and recursively to any command steps that are within group steps). The steps are mutated directly, so an error part-way through may leave some steps un-signed.
Types ¶
type CommandStepWithInvariants ¶ added in v0.2.0
type CommandStepWithInvariants struct { pipeline.CommandStep RepositoryURL string }
CommandStepWithInvariants is a CommandStep with PipelineInvariants.
func (*CommandStepWithInvariants) SignedFields ¶ added in v0.2.0
func (c *CommandStepWithInvariants) SignedFields() (map[string]any, error)
SignedFields returns the default fields for signing.
func (*CommandStepWithInvariants) ValuesForFields ¶ added in v0.2.0
func (c *CommandStepWithInvariants) ValuesForFields(fields []string) (map[string]any, error)
ValuesForFields returns the contents of fields to sign.
type Option ¶ added in v0.10.0
type Option interface {
// contains filtered or unexported methods
}
func WithDebugSigning ¶ added in v0.10.0
func WithLogger ¶ added in v0.10.0
type SignedFielder ¶
type SignedFielder interface { // SignedFields returns the default set of fields to sign, and their values. // This is called by Sign. SignedFields() (map[string]any, error) // ValuesForFields looks up each field and produces a map of values. This is // called by Verify. The set of fields might differ from the default, e.g. // when verifying older signatures computed with fewer fields or deprecated // field names. signedFielder implementations should reject requests for // values if "mandatory" fields are missing (e.g. signing a command step // should always sign the command). ValuesForFields([]string) (map[string]any, error) }
SignedFielder describes types that can be signed and have signatures verified. Converting non-string fields into strings (in a stable, canonical way) is an exercise left to the implementer.