Documentation
¶
Overview ¶
Package verify provides verification workflows for evidence packs.
This package orchestrates the full pack verification process, combining:
- Artifact integrity verification (from pack package)
- Pack digest verification (from pack package)
- Attestation signature verification (from pack/verify package)
- Embedded attestation verification (from pack package)
The package exists separately from pack/verify to avoid import cycles, as it needs to use both pack.Pack methods and pack/verify types.
Security Boundary ¶
This package is part of Layer 2 (Verification) and MUST NOT import:
- internal/component (execution configuration)
- internal/collector (collector execution)
- internal/tool (tool execution)
- internal/dispatch (tool dispatch)
- internal/catalog (discovery layer)
- internal/cli (presentation layer)
Pack verification must remain independent of the execution layer. A pack can be verified with only the pack file and verification options. This boundary is enforced by import_guard_test.go.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrNoIdentityPolicy = fmt.Errorf(
"no identity policy specified: use Issuer/Subject to verify signer identity, " +
"or InsecureSkipIdentityCheck to accept any valid signature (INSECURE)")
ErrNoIdentityPolicy is returned when attestation verification is attempted without an identity policy and InsecureSkipIdentityCheck is not set.
Functions ¶
func ValidateIdentityPolicy ¶
ValidateIdentityPolicy checks that an identity policy is specified or explicitly skipped.
SECURITY: Attestation verification without identity constraints means "any valid Sigstore signature is accepted" - an attacker could sign malicious packs with their own key. Callers must either specify identity constraints OR explicitly opt out.
Types ¶
type PackOpts ¶
type PackOpts struct {
// Identity policy for attestation verification
Issuer string
IssuerRegexp string
Subject string
SubjectRegexp string
// TrustRootPath pins a specific Sigstore trust root instead of fetching from TUF.
TrustRootPath string
// Offline skips transparency log verification.
Offline bool
// IntegrityOnly skips attestation verification, only checking digests.
IntegrityOnly bool
// RequireAttestation fails if no attestations are present.
RequireAttestation bool
// InsecureSkipIdentityCheck accepts any valid signer without identity verification.
InsecureSkipIdentityCheck bool
// InsecureSkipEmbeddedVerify skips verification of embedded attestations in merged packs.
InsecureSkipEmbeddedVerify bool
}
PackOpts configures pack verification workflow.
type PackResult ¶
type PackResult struct {
// Verified is true if all checks passed.
Verified bool
// Manifest metadata
Stream string
PackDigest string
// Counts
ArtifactCount int
AttestationCount int
// Errors from each verification step
ArtifactErrors []string
PackDigestError string
AttestationErrors []string
EmbeddedErrors []string
}
PackResult contains the outcomes of pack verification.
func Pack ¶
Pack runs the full verification pipeline on a pack.
The verification steps are:
- Artifact integrity - verify all embedded artifact digests
- Pack digest - verify the canonical pack digest
- Attestation verification - verify signatures and identity (unless IntegrityOnly)
- Embedded attestation verification - for merged packs (unless InsecureSkipEmbeddedVerify)
func (*PackResult) HasErrors ¶
func (r *PackResult) HasErrors() bool
HasErrors returns true if any verification step failed.
Source Files