client

package

v0.11.3 Latest Latest Go to latest Published: Feb 17, 2026 License: AGPL-3.0 Imports: 14 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/tinfoilsh/verifier

Links

Open Source Insights

Documentation ¶

Rendered for

Index ¶

Variables
func FetchAndVerifyFromURLJSON(attestationBundleURL, repo string, sigstoreTrustedRootJSON []byte) (string, error)
func FetchAndVerifyJSON(repo string, sigstoreTrustedRootJSON []byte) (string, error)
func VerifyFromBundleJSON(bundleJSON []byte, repo string, sigstoreTrustedRootJSON []byte) (string, error)
func VerifyJSON(enclave, repo string, sigstoreTrustedRootJSON []byte) (string, error)
type GroundTruth
type Response
type SecureClient
type TLSBoundRoundTripper
- func (t *TLSBoundRoundTripper) RoundTrip(r *http.Request) (*http.Response, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrNoTLS              = errors.New("no TLS connection")
	ErrCertMismatch       = errors.New("certificate fingerprint mismatch")
	ErrNoValidCertificate = errors.New("no valid certificate")
)

Functions ¶

func FetchAndVerifyFromURLJSON ¶ added in v0.11.1

func FetchAndVerifyFromURLJSON(attestationBundleURL, repo string, sigstoreTrustedRootJSON []byte) (string, error)

FetchAndVerifyFromURLJSON fetches an attestation bundle from a custom URL and verifies it. If attestationBundleURL is empty, defaults to the Tinfoil bundle endpoint. Returns the verification data as a JSON string.

func FetchAndVerifyJSON ¶ added in v0.11.1

func FetchAndVerifyJSON(repo string, sigstoreTrustedRootJSON []byte) (string, error)

FetchAndVerifyJSON fetches an attestation bundle from the default endpoint and verifies it. Returns the verification data as a JSON string.

func VerifyFromBundleJSON ¶ added in v0.10.20

func VerifyFromBundleJSON(bundleJSON []byte, repo string, sigstoreTrustedRootJSON []byte) (string, error)

VerifyFromBundleJSON verifies using a pre-fetched attestation bundle and returns the verification data as a JSON string

func VerifyJSON ¶ added in v0.10.2

func VerifyJSON(enclave, repo string, sigstoreTrustedRootJSON []byte) (string, error)

VerifyJSON verifies an enclave against a repo and returns the verification data as a JSON string

Types ¶

type GroundTruth ¶ added in v0.0.17

type GroundTruth struct {
	EnclaveHost         string                           `json:"enclave_host,omitempty"`
	TLSPublicKey        string                           `json:"tls_public_key,omitempty"`
	HPKEPublicKey       string                           `json:"hpke_public_key,omitempty"`
	Digest              string                           `json:"digest"`
	CodeMeasurement     *attestation.Measurement         `json:"code_measurement"`
	EnclaveMeasurement  *attestation.Measurement         `json:"enclave_measurement"`
	HardwareMeasurement *attestation.HardwareMeasurement `json:"hardware_measurement,omitempty"`
	CodeFingerprint     string                           `json:"code_fingerprint"`
	EnclaveFingerprint  string                           `json:"enclave_fingerprint"`
}

GroundTruth represents the "known good" verified of the enclave

type Response ¶

type Response struct {
	Status     string
	StatusCode int
	Body       []byte
}

type SecureClient ¶

type SecureClient struct {
	// contains filtered or unexported fields
}

func NewDefaultClient ¶ added in v0.10.0

func NewDefaultClient() (*SecureClient, error)

NewDefaultSecureClient creates a new secure client with fallback mechanism. It tries to fetch routers from the router service, attempts to verify each one, and falls back to inference.tinfoil.sh if all routers fail.

func NewPinnedSecureClient ¶ added in v0.1.18

func NewPinnedSecureClient(enclave string, codeMeasurement *attestation.Measurement, hardwareMeasurements []*attestation.HardwareMeasurement) *SecureClient

NewPinnedSecureClient creates a new secure client with a given enclave and fixed measurements

func NewSecureClient ¶

func NewSecureClient(enclave, repo string) *SecureClient

NewSecureClient creates a new secure client with a given repo and enclave

func (*SecureClient) Enclave ¶ added in v0.1.16

func (s *SecureClient) Enclave() string

Enclave returns the enclave URL

func (*SecureClient) Get ¶

func (s *SecureClient) Get(url string, headers map[string]string) (*Response, error)

Get makes an HTTP GET request

func (*SecureClient) GroundTruth ¶ added in v0.0.17

func (s *SecureClient) GroundTruth() *GroundTruth

GroundTruth returns the last verified enclave state

func (*SecureClient) GroundTruthJSON ¶ added in v0.1.17

func (s *SecureClient) GroundTruthJSON() (string, error)

GroundTruthJSON returns the ground truth as a JSON string

func (*SecureClient) HTTPClient ¶

func (s *SecureClient) HTTPClient() (*http.Client, error)

HTTPClient returns an HTTP client that only accepts TLS connections to the verified enclave

func (*SecureClient) Post ¶

func (s *SecureClient) Post(url string, headers map[string]string, body []byte) (*Response, error)

Post makes an HTTP POST request

func (*SecureClient) Repo ¶ added in v0.1.16

func (s *SecureClient) Repo() string

Repo returns the repository URL

func (*SecureClient) Verify ¶

func (s *SecureClient) Verify() (*GroundTruth, error)

Verify fetches the latest verification information from GitHub and Sigstore and stores the ground truth results in the client

func (*SecureClient) VerifyFromBundle ¶ added in v0.10.20

func (s *SecureClient) VerifyFromBundle(bundle *attestation.Bundle) (*GroundTruth, error)

VerifyFromBundle verifies using a pre-fetched attestation bundle (single-request verification)

type TLSBoundRoundTripper ¶

type TLSBoundRoundTripper struct {
	ExpectedPublicKey string
}

func (*TLSBoundRoundTripper) RoundTrip ¶

func (t *TLSBoundRoundTripper) RoundTrip(r *http.Request) (*http.Response, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL