Documentation
¶
Overview ¶
Package sigstore provides shared utilities for Sigstore verification in CLI commands.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BuildVerifierOptions ¶
func BuildVerifierOptions(cfg VerifierConfig) ([]verify.Option, error)
BuildVerifierOptions builds verify.Option slice from configuration. Returns options and any error encountered during setup.
func LoadTrustRootOption ¶
LoadTrustRootOption loads a trust root from file and returns the option. Returns nil option (not error) if no trust root path is specified.
SECURITY: This function only accepts explicit paths, not environment variables. Environment variable overrides were removed because they allow hostile CI environments to silently redirect trust verification to attacker-controlled roots.
func NewVerifier ¶
func NewVerifier(cfg VerifierConfig) (verify.Verifier, error)
NewVerifier creates a SigstoreVerifier from configuration. This is a convenience function that calls BuildVerifierOptions and NewSigstoreVerifier.
Types ¶
type IdentityPolicy ¶
type IdentityPolicy struct {
Issuer string
IssuerRegexp string
Subject string
SubjectRegexp string
}
IdentityPolicy holds identity verification requirements.
func (*IdentityPolicy) HasPolicy ¶
func (p *IdentityPolicy) HasPolicy() bool
HasPolicy returns true if any identity constraint is specified.
type VerifierConfig ¶
type VerifierConfig struct {
// TrustRootPath is the path to a trust root JSON file.
// If empty, falls back to fetching from TUF.
TrustRootPath string
// Identity policy for signer verification.
Identity IdentityPolicy
// Offline skips transparency log verification.
Offline bool
// InsecureSkipIdentityCheck allows any valid signature without identity verification.
InsecureSkipIdentityCheck bool
}
VerifierConfig holds all configuration for building a Sigstore verifier.
Source Files