signing

package
v0.1.0-dev.20260223223859 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 23, 2026 License: MIT Imports: 30 Imported by: 0

Documentation

Overview

Package signing provides cryptographic signing for receipts. It supports multiple backends (GPG, AWS KMS, GCP KMS, Azure Key Vault) and uses the order specified in .sops.yaml to determine priority.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrNoKeyAvailable = errors.New("no signing key available")
	ErrWrongMethod    = errors.New("wrong signature method")
)

Common errors.

Functions

func FindSopsConfig 

func FindSopsConfig(dir string) string

FindSopsConfig searches for .sops.yaml starting from dir, walking up.

func VerifyAWSKMS 

func VerifyAWSKMS(data []byte, sig *Signature) error

VerifyAWSKMS verifies an AWS KMS signature.

func VerifyAzureKV 

func VerifyAzureKV(data []byte, sig *Signature) error

VerifyAzureKV verifies an Azure Key Vault signature.

func VerifyGCPKMS 

func VerifyGCPKMS(data []byte, sig *Signature) error

VerifyGCPKMS verifies a GCP KMS signature.

func VerifyGPG 

func VerifyGPG(data []byte, sig *Signature) error

VerifyGPG verifies a GPG signature.

Types

type AWSKMSSigner 

type AWSKMSSigner struct {
	// contains filtered or unexported fields
}

AWSKMSSigner signs using AWS KMS.

func NewAWSKMSSigner 

func NewAWSKMSSigner(keyARNs string) *AWSKMSSigner

NewAWSKMSSigner creates an AWS KMS signer with the given key ARNs. The keyARNs string can contain multiple ARNs separated by commas or newlines.

func (*AWSKMSSigner) Available 

func (a *AWSKMSSigner) Available() bool

Available returns true if AWS credentials are configured and we can access at least one of the configured keys.

func (*AWSKMSSigner) Name 

func (a *AWSKMSSigner) Name() string

Name returns "aws_kms".

func (*AWSKMSSigner) Sign 

func (a *AWSKMSSigner) Sign(data []byte) (*Signature, error)

Sign signs the data using AWS KMS.

type AzureKVSigner 

type AzureKVSigner struct {
	// contains filtered or unexported fields
}

AzureKVSigner signs using Azure Key Vault.

func NewAzureKVSigner 

func NewAzureKVSigner(keyURLs string) *AzureKVSigner

NewAzureKVSigner creates an Azure Key Vault signer with the given key URLs. The keyURLs string can contain multiple URLs separated by commas or newlines. Key format: https://VAULT.vault.azure.net/keys/KEY/VERSION

func (*AzureKVSigner) Available 

func (a *AzureKVSigner) Available() bool

Available returns true if Azure credentials are configured and we can access at least one of the configured keys.

func (*AzureKVSigner) Name 

func (a *AzureKVSigner) Name() string

Name returns "azure_kv".

func (*AzureKVSigner) Sign 

func (a *AzureKVSigner) Sign(data []byte) (*Signature, error)

Sign signs the data using Azure Key Vault.

type Backend 

type Backend string

Backend represents a signing backend type. 

const (
	BackendPGP     Backend = "pgp"
	BackendAWSKMS  Backend = "aws_kms"
	BackendGCPKMS  Backend = "gcp_kms"
	BackendAzureKV Backend = "azure_kv"
)

Signing backend constants.

type CreationRule 

type CreationRule struct {
	PathRegex string `yaml:"path_regex"`
	PGP       string `yaml:"pgp,omitempty"`
	Age       string `yaml:"age,omitempty"`
	AWSKMS    string `yaml:"aws_kms,omitempty"`
	GCPKMS    string `yaml:"gcp_kms,omitempty"`
	AzureKV   string `yaml:"azure_kv,omitempty"`
}

CreationRule represents a single rule in .sops.yaml

func (*CreationRule) OrderedBackends 

func (r *CreationRule) OrderedBackends() []ParsedBackend

OrderedBackends returns the backends from a creation rule in declaration order. This preserves the order from the YAML file.

type GCPKMSSigner 

type GCPKMSSigner struct {
	// contains filtered or unexported fields
}

GCPKMSSigner signs using Google Cloud KMS.

func NewGCPKMSSigner 

func NewGCPKMSSigner(keyNames string) *GCPKMSSigner

NewGCPKMSSigner creates a GCP KMS signer with the given key resource names. The keyNames string can contain multiple names separated by commas or newlines. Key format: projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY/cryptoKeyVersions/VERSION

func (*GCPKMSSigner) Available 

func (g *GCPKMSSigner) Available() bool

Available returns true if GCP credentials are configured and we can access at least one of the configured keys.

func (*GCPKMSSigner) Name 

func (g *GCPKMSSigner) Name() string

Name returns "gcp_kms".

func (*GCPKMSSigner) Sign 

func (g *GCPKMSSigner) Sign(data []byte) (*Signature, error)

Sign signs the data using GCP KMS.

type GPGSigner 

type GPGSigner struct {
	// contains filtered or unexported fields
}

GPGSigner signs using GPG (GNU Privacy Guard).

func NewGPGSigner 

func NewGPGSigner(fingerprints string) *GPGSigner

NewGPGSigner creates a GPG signer with the given fingerprints. The fingerprints string can contain multiple fingerprints separated by commas or newlines.

func (*GPGSigner) Available 

func (g *GPGSigner) Available() bool

Available returns true if gpg is installed and we have a secret key matching one of the configured fingerprints.

func (*GPGSigner) Name 

func (g *GPGSigner) Name() string

Name returns "gpg".

func (*GPGSigner) Sign 

func (g *GPGSigner) Sign(data []byte) (*Signature, error)

Sign signs the data using GPG.

type ParsedBackend 

type ParsedBackend struct {
	Type  Backend
	Value string
}

ParsedBackend contains the backend type and its configuration value.

type SignError 

type SignError struct {
	Backend string
	Err     error
	Details string
}

SignError represents a signing failure.

func (*SignError) Error 

func (e *SignError) Error() string

func (*SignError) Unwrap 

func (e *SignError) Unwrap() error

type Signature 

type Signature struct {
	// Method identifies the signing backend (gpg, aws_kms, gcp_kms, azure_kv).
	Method string `json:"method" yaml:"method"`

	// Value is the signature data (format depends on method).
	Value string `json:"value" yaml:"value"`

	// KeyID identifies the key used for signing.
	// For GPG: fingerprint, for KMS: key ARN/ID, etc.
	KeyID string `json:"key_id" yaml:"key_id"`
}

Signature represents a cryptographic signature.

type Signer 

type Signer interface {
	// Name returns the backend name (gpg, aws_kms, gcp_kms, azure_kv).
	Name() string

	// Available returns true if this signer can be used.
	// Checks for required tools, credentials, etc.
	Available() bool

	// Sign signs the data and returns a signature.
	Sign(data []byte) (*Signature, error)
}

Signer is the interface for signing backends.

type SignerChain 

type SignerChain struct {
	// contains filtered or unexported fields
}

SignerChain tries signers in order, using the first one that works.

func BuildSignerChain 

func BuildSignerChain(searchDir string) *SignerChain

BuildSignerChain creates a signer chain based on .sops.yaml configuration. Searches for .sops.yaml starting from searchDir. Returns an empty chain (not an error) if no .sops.yaml is found.

func NewSignerChain 

func NewSignerChain(signers ...Signer) *SignerChain

NewSignerChain creates a chain from the given signers.

func (*SignerChain) Sign 

func (c *SignerChain) Sign(data []byte) (*Signature, error)

Sign tries each signer in order, returning the first successful signature. Returns nil (not an error) if no signers are available.

type SopsConfig 

type SopsConfig struct {
	CreationRules []CreationRule `yaml:"creation_rules"`
}

SopsConfig represents the structure of .sops.yaml

func ParseSopsConfig 

func ParseSopsConfig(path string) (*SopsConfig, error)

ParseSopsConfig parses a .sops.yaml file.

type VerifyError 

type VerifyError struct {
	Backend string
	Err     error
	Details string
}

VerifyError represents a verification failure.

func (*VerifyError) Error 

func (e *VerifyError) Error() string

func (*VerifyError) Unwrap 

func (e *VerifyError) Unwrap() error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.