verifier

package

v0.0.0-...-fe83a95 Latest Latest Go to latest Published: Sep 12, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/oss-rebuild

Links

Open Source Insights

Documentation ¶

Overview ¶

Package verifier provides a library for verifying and attesting to a rebuild.

Index ¶

Constants
func CreateAttestations(ctx context.Context, input rebuild.Input, finalStrategy rebuild.Strategy, ...) (equivalence, build *in_toto.ProvenanceStatementSLSA1, err error)
type ArtifactSummary
- func SummarizeArtifacts(ctx context.Context, metadata rebuild.LocatableAssetStore, t rebuild.Target, ...) (rb, up ArtifactSummary, err error)
type Attestor
- func (a Attestor) BundleExists(ctx context.Context, t rebuild.Target) (bool, error)
- func (a Attestor) PublishBundle(ctx context.Context, t rebuild.Target, ...) error
type InTotoEnvelopeSigner
- func (signer *InTotoEnvelopeSigner) SignStatement(ctx context.Context, s *in_toto.ProvenanceStatementSLSA1) (*dsse.Envelope, error)

Constants ¶

View Source

const (
	// RebuildBuildType is the SLSA build type used for rebuild attestations.
	RebuildBuildType = "https://docs.oss-rebuild.dev/builds/Rebuild@v0.1"
	// ArtifactEquivalenceBuildType is the SLSA build type used for artifact equivalence attestations.
	ArtifactEquivalenceBuildType = "https://docs.oss-rebuild.dev/builds/ArtifactEquivalence@v0.1"
)

Variables ¶

This section is empty.

Functions ¶

func CreateAttestations ¶

func CreateAttestations(ctx context.Context, input rebuild.Input, finalStrategy rebuild.Strategy, id string, rb, up ArtifactSummary, metadata rebuild.AssetStore, buildDef rebuild.Location) (equivalence, build *in_toto.ProvenanceStatementSLSA1, err error)

CreateAttestations creates the SLSA attestations associated with a rebuild.

Types ¶

type ArtifactSummary ¶

type ArtifactSummary struct {
	URI           string
	Hash          hashext.MultiHash
	CanonicalHash hashext.MultiHash
}

ArtifactSummary is a summary of an artifact for the purposes of verification.

func SummarizeArtifacts ¶

func SummarizeArtifacts(ctx context.Context, metadata rebuild.LocatableAssetStore, t rebuild.Target, upstreamURI string, hashes []crypto.Hash) (rb, up ArtifactSummary, err error)

SummarizeArtifacts fetches and summarizes the rebuild and upstream artifacts.

type Attestor ¶

type Attestor struct {
	Store          rebuild.AssetStore
	Signer         InTotoEnvelopeSigner
	AllowOverwrite bool
}

Attestor is a verifier that signs and publishes attestation bundles.

func (Attestor) BundleExists ¶

func (a Attestor) BundleExists(ctx context.Context, t rebuild.Target) (bool, error)

BundleExists returns whether an existing attestation bundle exists.

func (Attestor) PublishBundle ¶

func (a Attestor) PublishBundle(ctx context.Context, t rebuild.Target, stmts ...*in_toto.ProvenanceStatementSLSA1) error

PublishBundle signs and publishes an attestation bundle.

type InTotoEnvelopeSigner ¶

type InTotoEnvelopeSigner struct {
	*dsse.EnvelopeSigner
}

InTotoEnvelopeSigner is a wrapper around dsse.EnvelopeSigner that implements a higher-level signing operation for In Toto resources.

func (*InTotoEnvelopeSigner) SignStatement ¶

func (signer *InTotoEnvelopeSigner) SignStatement(ctx context.Context, s *in_toto.ProvenanceStatementSLSA1) (*dsse.Envelope, error)

SignStatement produces a DSSE Envelope for the provided ProvenanceStatement.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL