Documentation ¶
Overview ¶
Package verifier provides a library for verifying and attesting to a rebuild.
Index ¶
Constants ¶
const ( // RebuildBuildType is the SLSA build type used for rebuild attestations. RebuildBuildType = "https://docs.oss-rebuild.dev/builds/Rebuild@v0.1" // ArtifactEquivalenceBuildType is the SLSA build type used for artifact equivalence attestations. ArtifactEquivalenceBuildType = "https://docs.oss-rebuild.dev/builds/ArtifactEquivalence@v0.1" )
Variables ¶
This section is empty.
Functions ¶
func CreateAttestations ¶
func CreateAttestations(ctx context.Context, input rebuild.Input, finalStrategy rebuild.Strategy, id string, rb, up ArtifactSummary, metadata rebuild.AssetStore, buildDef rebuild.Location) (equivalence, build *in_toto.ProvenanceStatementSLSA1, err error)
CreateAttestations creates the SLSA attestations associated with a rebuild.
Types ¶
type ArtifactSummary ¶
ArtifactSummary is a summary of an artifact for the purposes of verification.
func SummarizeArtifacts ¶
func SummarizeArtifacts(ctx context.Context, metadata rebuild.LocatableAssetStore, t rebuild.Target, upstreamURI string, hashes []crypto.Hash) (rb, up ArtifactSummary, err error)
SummarizeArtifacts fetches and summarizes the rebuild and upstream artifacts.
type Attestor ¶
type Attestor struct { Store rebuild.AssetStore Signer InTotoEnvelopeSigner AllowOverwrite bool }
Attestor is a verifier that signs and publishes attestation bundles.
func (Attestor) BundleExists ¶
BundleExists returns whether an existing attestation bundle exists.
func (Attestor) PublishBundle ¶
func (a Attestor) PublishBundle(ctx context.Context, t rebuild.Target, stmts ...*in_toto.ProvenanceStatementSLSA1) error
PublishBundle signs and publishes an attestation bundle.
type InTotoEnvelopeSigner ¶
type InTotoEnvelopeSigner struct {
*dsse.EnvelopeSigner
}
InTotoEnvelopeSigner is a wrapper around dsse.EnvelopeSigner that implements a higher-level signing operation for In Toto resources.
func (*InTotoEnvelopeSigner) SignStatement ¶
func (signer *InTotoEnvelopeSigner) SignStatement(ctx context.Context, s *in_toto.ProvenanceStatementSLSA1) (*dsse.Envelope, error)
SignStatement produces a DSSE Envelope for the provided ProvenanceStatement.