cosign

package
v1.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2022 License: Apache-2.0 Imports: 54 Imported by: 56

Documentation

Index

Constants

View Source 
const (
	SignatureTagSuffix   = ".sig"
	SBOMTagSuffix        = ".sbom"
	AttestationTagSuffix = ".att"
)
View Source 
const (
	Signature   = "signature"
	SBOM        = "sbom"
	Attestation = "attestation"
)
View Source 
const (
	CosignPrivateKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"
	// PEM-encoded PKCS #1 RSA private key
	RSAPrivateKeyPemType = "RSA PRIVATE KEY"
	// PEM-encoded ECDSA private key
	ECPrivateKeyPemType = "EC PRIVATE KEY"
	// PEM-encoded PKCS #8 RSA, ECDSA or ED25519 private key
	PrivateKeyPemType = "PRIVATE KEY"
	BundleKey         = static.BundleAnnotationKey
)

Variables

This section is empty.

Functions

func CheckExpiry added in v1.5.0 

func CheckExpiry(cert *x509.Certificate, it time.Time) error

CheckExpiry confirms the time provided is within the valid period of the cert

func FileExists added in v1.5.0 

func FileExists(filename string) bool

TODO need to centralize this logic

func FindTLogEntriesByPayload added in v1.3.1 

func FindTLogEntriesByPayload(ctx context.Context, rekorClient *client.Rekor, payload []byte) (uuids []string, err error)

func FindTlogEntry 

func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)

func GeneratePrivateKey 

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func GetPassFromTerm added in v1.5.0 

func GetPassFromTerm(confirm bool) ([]byte, error)

func GetTlogEntry added in v1.3.1 

func GetTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)

func IntotoSubjectClaimVerifier added in v1.0.0 

func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error

IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.

func IsTerminal added in v1.5.0 

func IsTerminal() bool

func LoadPrivateKey 

func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error)

func PemToECDSAKey added in v0.4.0 

func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)

func SimpleClaimVerifier added in v1.0.0 

func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.

func TLogUpload added in v1.0.1 

func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUpload will upload the signature, public key and payload to the transparency log.

func TLogUploadInTotoAttestation added in v1.0.1 

func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.

func TrustedCert 

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func ValidateAndUnpackCert added in v1.5.0 

func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Verifier, error)

ValidateAndUnpackCert creates a Verifier from a certificate. Veries that the certificate chains up to a trusted root. Optionally verifies the subject of the certificate.

func VerifyBundle added in v1.3.0 

func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error)

func VerifyImageAttestations added in v1.3.1 

func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)

VerifyAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.

func VerifyImageSignature added in v1.5.0 

func VerifyImageSignature(ctx context.Context, sig oci.Signature, h v1.Hash, co *CheckOpts) (bundleVerified bool, err error)

VerifyImageSignature verifies a signature

func VerifyImageSignatures added in v1.3.1 

func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifyImageSignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifyLocalImageAttestations added in v1.4.1 

func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)

VerifyLocalImageAttestations verifies attestations from a saved, local image, without any network calls, returning the verified attestations. If there were no valid signatures, we return an error.

func VerifyLocalImageSignatures added in v1.4.1 

func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifyLocalImageSignatures verifies signatures from a saved, local image, without any network calls, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifySET added in v0.6.0 

func VerifySET(bundlePayload cbundle.RekorPayload, signature []byte, pub *ecdsa.PublicKey) error

Types

type AttestationPayload added in v1.5.0 

type AttestationPayload struct {
	PayloadType string       `json:"payloadType"`
	PayLoad     string       `json:"payload"`
	Signatures  []Signatures `json:"signatures"`
}

func FetchAttestationsForReference added in v1.5.0 

func FetchAttestationsForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]AttestationPayload, error)

type CheckOpts 

type CheckOpts struct {
	// RegistryClientOpts are the options for interacting with the container registry.
	RegistryClientOpts []ociremote.Option

	// Annotations optionally specifies image signature annotations to verify.
	Annotations map[string]interface{}
	// ClaimVerifier, if provided, verifies claims present in the oci.Signature.
	ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

	// RekorClient, if set, is used to use to verify signatures and public keys.
	RekorClient *client.Rekor

	// SigVerifier is used to verify signatures.
	SigVerifier signature.Verifier
	// PKOpts are the options provided to `SigVerifier.PublicKey()`.
	PKOpts []signature.PublicKeyOption

	// RootCerts are the root CA certs used to verify a signature's chained certificate.
	RootCerts *x509.CertPool
	// CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertEmail string
	// CertOidcIssuer is the OIDC issuer expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertOidcIssuer string

	// SignatureRef is the reference to the signature file
	SignatureRef string
}

CheckOpts are the options for checking signatures.

type Keys 

type Keys struct {
	// contains filtered or unexported fields
}

type KeysBytes added in v1.5.0 

type KeysBytes struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

func GenerateKeyPair 

func GenerateKeyPair(pf PassFunc) (*KeysBytes, error)

func ImportKeyPair added in v1.5.0 

func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error)

func (*KeysBytes) Password added in v1.5.0 

func (k *KeysBytes) Password() []byte

type LocalSignedPayload added in v1.5.0 

type LocalSignedPayload struct {
	Base64Signature string              `json:"base64Signature"`
	Cert            string              `json:"cert,omitempty"`
	Bundle          *bundle.RekorBundle `json:"rekorBundle,omitempty"`
}

func FetchLocalSignedPayloadFromPath added in v1.5.0 

func FetchLocalSignedPayloadFromPath(path string) (*LocalSignedPayload, error)

FetchLocalSignedPayloadFromPath fetches a local signed payload from a path to a file

type PassFunc 

type PassFunc func(bool) ([]byte, error)

PassFunc is the function to be called to retrieve the signer password. If nil, then it assumes that no password is provided.

type RekorPubKey added in v1.6.0 

type RekorPubKey struct {
	PubKey *ecdsa.PublicKey
	Status tuf.StatusKind
}

RekorPubKey contains the ECDSA verification key and the current status of the key according to TUF metadata, whether it's active or expired.

func GetRekorPubs added in v1.6.0 

func GetRekorPubs(ctx context.Context) ([]RekorPubKey, error)

GetRekorPubs retrieves trusted Rekor public keys from the embedded or cached TUF root. If expired, makes a network call to retrieve the updated targets.

type Signatures added in v1.5.0 

type Signatures struct {
	KeyID string `json:"keyid"`
	Sig   string `json:"sig"`
}

type SignedPayload 

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *bundle.RekorBundle
}

func FetchSignaturesForReference added in v1.2.1 

func FetchSignaturesForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]SignedPayload, error)

Source Files

View all Source files

Directories

Path Synopsis
git
github
gitlab
webhook

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.