cosign

package

v0.42.0 Latest Latest Go to latest Published: Jul 10, 2021 License: Apache-2.0 Imports: 43 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/syncom/cosign

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func AttachedImageTag(repo name.Repository, imgDesc *remote.Descriptor, suffix string) name.Tag
func CertToPem(c *x509.Certificate) []byte
func DestinationRef(ref name.Reference, img *remote.Descriptor) (name.Reference, error)
func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)
func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
func GetAttachedManifestForImage(imgDesc *remote.Descriptor, repo name.Repository, suffix string, ...) (*remote.Descriptor, error)
func KeyToPem(pub crypto.PublicKey) ([]byte, error)
func LoadCerts(pemStr string) ([]*x509.Certificate, error)
func LoadECDSAPrivateKey(key []byte, pass []byte) (signature.ECDSASignerVerifier, error)
func PemToECDSAKey(raw []byte) (*ecdsa.PublicKey, error)
func PublicKeyPem(ctx context.Context, key signature.PublicKeyProvider) ([]byte, error)
func SignaturesRef(signed name.Digest) (name.Reference, error)
func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error
func UploadTLog(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)
func VerifySET(bundlePayload cremote.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error
func VerifyTLogEntry(rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)
type CheckOpts
type Keys
- func GenerateKeyPair(pf PassFunc) (*Keys, error)
- func (k *Keys) Password() []byte
type PassFunc
type PublicKey
- func LoadPublicKey(ctx context.Context, keyRef string) (pub PublicKey, err error)
type SignedPayload
- func FetchSignaturesForDescriptor(ctx context.Context, signedDescriptor *remote.Descriptor, ...) ([]SignedPayload, error)
- func FetchSignaturesForImage(ctx context.Context, signedImgRef name.Reference, sigRepo name.Repository, ...) ([]SignedPayload, error)
- func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) ([]SignedPayload, error)
- func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error
- func (sp *SignedPayload) VerifyBundle() (bool, error)
- func (sp *SignedPayload) VerifyClaims(d *v1.Descriptor, ss *payload.SimpleContainerImage) error
- func (sp *SignedPayload) VerifySignature(verifier signature.Verifier, verifyOpts ...signature.VerifyOption) error
- func (sp *SignedPayload) VerifyTlog(rc *client.Rekor, publicKeyPem []byte) (uuid string, index int64, err error)

Constants ¶

View Source

const (
	SuffixSignature = ".sig"
	SuffixSBOM      = ".sbom"
)

View Source

const (
	PemType = "ENCRYPTED COSIGN PRIVATE KEY"

	BundleKey = "dev.sigstore.cosign/bundle"
)

Variables ¶

This section is empty.

Functions ¶

func AttachedImageTag ¶

func AttachedImageTag(repo name.Repository, imgDesc *remote.Descriptor, suffix string) name.Tag

func CertToPem ¶

func CertToPem(c *x509.Certificate) []byte

func DestinationRef ¶ added in v0.42.0

func DestinationRef(ref name.Reference, img *remote.Descriptor) (name.Reference, error)

func FindTlogEntry ¶

func FindTlogEntry(rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error)

func GeneratePrivateKey ¶

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func GetAttachedManifestForImage ¶

func GetAttachedManifestForImage(imgDesc *remote.Descriptor, repo name.Repository, suffix string, opts ...remote.Option) (*remote.Descriptor, error)

func KeyToPem ¶

func KeyToPem(pub crypto.PublicKey) ([]byte, error)

func LoadCerts ¶

func LoadCerts(pemStr string) ([]*x509.Certificate, error)

func LoadECDSAPrivateKey ¶

func LoadECDSAPrivateKey(key []byte, pass []byte) (signature.ECDSASignerVerifier, error)

func PemToECDSAKey ¶

func PemToECDSAKey(raw []byte) (*ecdsa.PublicKey, error)

func PublicKeyPem ¶

func PublicKeyPem(ctx context.Context, key signature.PublicKeyProvider) ([]byte, error)

func SignaturesRef ¶ added in v0.42.0

func SignaturesRef(signed name.Digest) (name.Reference, error)

func TrustedCert ¶

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error

func UploadTLog ¶

func UploadTLog(rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)

Upload will upload the signature, public key and payload to the tlog

func VerifySET ¶

func VerifySET(bundlePayload cremote.BundlePayload, signature []byte, pub *ecdsa.PublicKey) error

func VerifyTLogEntry ¶

func VerifyTLogEntry(rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)

Types ¶

type CheckOpts ¶

type CheckOpts struct {
	SignatureRepo      name.Repository
	RegistryClientOpts []remote.Option

	Annotations  map[string]interface{}
	Claims       bool
	VerifyBundle bool

	RekorURL string

	SigVerifier signature.Verifier
	VerifyOpts  []signature.VerifyOption
	PKOpts      []signature.PublicKeyOption

	RootCerts *x509.CertPool
}

CheckOpts are the options for checking

type Keys ¶

type Keys struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

func GenerateKeyPair ¶

func GenerateKeyPair(pf PassFunc) (*Keys, error)

func (*Keys) Password ¶

func (k *Keys) Password() []byte

type PassFunc ¶

type PassFunc func(bool) ([]byte, error)

type PublicKey ¶ added in v0.42.0

type PublicKey interface {
	signature.Verifier
	signature.PublicKeyProvider
}

func LoadPublicKey ¶

func LoadPublicKey(ctx context.Context, keyRef string) (pub PublicKey, err error)

type SignedPayload ¶

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *cremote.Bundle
}

func FetchSignaturesForDescriptor ¶

func FetchSignaturesForDescriptor(ctx context.Context, signedDescriptor *remote.Descriptor, sigRepo name.Repository, opts ...remote.Option) ([]SignedPayload, error)

func FetchSignaturesForImage ¶

func FetchSignaturesForImage(ctx context.Context, signedImgRef name.Reference, sigRepo name.Repository, opts ...remote.Option) ([]SignedPayload, error)

func Verify ¶

func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) ([]SignedPayload, error)

Verify does all the main cosign checks in a loop, returning validated payloads. If there were no payloads, we return an error.

func (*SignedPayload) TrustedCert ¶

func (sp *SignedPayload) TrustedCert(roots *x509.CertPool) error

func (*SignedPayload) VerifyBundle ¶

func (sp *SignedPayload) VerifyBundle() (bool, error)

func (*SignedPayload) VerifyClaims ¶

func (sp *SignedPayload) VerifyClaims(d *v1.Descriptor, ss *payload.SimpleContainerImage) error

func (*SignedPayload) VerifySignature ¶

func (sp *SignedPayload) VerifySignature(verifier signature.Verifier, verifyOpts ...signature.VerifyOption) error

func (*SignedPayload) VerifyTlog ¶

func (sp *SignedPayload) VerifyTlog(rc *client.Rekor, publicKeyPem []byte) (uuid string, index int64, err error)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
fulcio
kubernetes
pivkey
remote

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL