v1

package
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 13, 2026 License: Apache-2.0 Imports: 16 Imported by: 11

Documentation

Index

Constants

View Source 
const (
	DefaultFulcioURL       = "https://fulcio.sigstore.dev"
	DefaultRekorURL        = "https://rekor.sigstore.dev"
	DefaultTimestampURL    = "https://timestamp.sigstore.dev/api/v1/timestamp"
	DefaultTUFMirrorURL    = "https://tuf-repo-cdn.sigstore.dev"
	DefaultOIDCProviderURL = "https://oauth2.sigstore.dev/auth"
	DefaultOIDCClientID    = "sigstore"
)
View Source 
const (
	SignService_Sign_FullMethodName   = "/agntcy.dir.sign.v1.SignService/Sign"
	SignService_Verify_FullMethodName = "/agntcy.dir.sign.v1.SignService/Verify"
)

Variables

View Source 
var (
	// DefaultSignOptionsOIDC provides default values for OIDC-based signing.
	DefaultSignOptionsOIDC = &SignOptionsOIDC{
		FulcioUrl:        DefaultFulcioURL,
		RekorUrl:         DefaultRekorURL,
		TimestampUrl:     DefaultTimestampURL,
		SkipTlog:         false,
		OidcProviderUrl:  DefaultOIDCProviderURL,
		OidcClientId:     DefaultOIDCClientID,
		OidcClientSecret: "",
	}

	// DefaultVerifyOptionsOIDC provides default values for OIDC-based verification.
	DefaultVerifyOptionsOIDC = &VerifyOptionsOIDC{
		TufMirrorUrl:    DefaultTUFMirrorURL,
		TrustedRootPath: "",
		IgnoreTlog:      false,
		IgnoreTsa:       false,
		IgnoreSct:       false,
	}
)
View Source 
var File_agntcy_dir_sign_v1_public_key_proto protoreflect.FileDescriptor
View Source 
var File_agntcy_dir_sign_v1_sign_service_proto protoreflect.FileDescriptor
View Source 
var File_agntcy_dir_sign_v1_signature_proto protoreflect.FileDescriptor
View Source 
var SignService_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "agntcy.dir.sign.v1.SignService",
	HandlerType: (*SignServiceServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "Sign",
			Handler:    _SignService_Sign_Handler,
		},
		{
			MethodName: "Verify",
			Handler:    _SignService_Verify_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "agntcy/dir/sign/v1/sign_service.proto",
}

SignService_ServiceDesc is the grpc.ServiceDesc for SignService service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

Functions

func RegisterSignServiceServer 

func RegisterSignServiceServer(s grpc.ServiceRegistrar, srv SignServiceServer)

Types

type PublicKey 

type PublicKey struct {

	// PEM-encoded public key string.
	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
	// contains filtered or unexported fields
}

PublicKey is the public key data associated with a Record. Multiple public keys can be associated with a single Record.

func (*PublicKey) Descriptor deprecated 

func (*PublicKey) Descriptor() ([]byte, []int)

Deprecated: Use PublicKey.ProtoReflect.Descriptor instead.

func (*PublicKey) GetKey 

func (x *PublicKey) GetKey() string

func (*PublicKey) MarshalReferrer 

func (p *PublicKey) MarshalReferrer() (*corev1.RecordReferrer, error)

MarshalReferrer exports the PublicKey into a RecordReferrer.

func (*PublicKey) ProtoMessage 

func (*PublicKey) ProtoMessage()

func (*PublicKey) ProtoReflect 

func (x *PublicKey) ProtoReflect() protoreflect.Message

func (*PublicKey) ReferrerType 

func (p *PublicKey) ReferrerType() string

ReferrerType returns the referrer type for PublicKey.

func (*PublicKey) Reset 

func (x *PublicKey) Reset()

func (*PublicKey) String 

func (x *PublicKey) String() string

func (*PublicKey) UnmarshalReferrer 

func (p *PublicKey) UnmarshalReferrer(ref *corev1.RecordReferrer) error

UnmarshalReferrer loads the PublicKey from a RecordReferrer.

type SignOptionsOIDC added in v1.1.0 

type SignOptionsOIDC struct {

	// Fulcio authority access URL.
	// Default: https://fulcio.sigstore.dev
	FulcioUrl string `protobuf:"bytes,1,opt,name=fulcio_url,json=fulcioUrl,proto3" json:"fulcio_url,omitempty"`
	// Rekor transparency log access URL.
	// Default: https://rekor.sigstore.dev
	RekorUrl string `protobuf:"bytes,2,opt,name=rekor_url,json=rekorUrl,proto3" json:"rekor_url,omitempty"`
	// Timestamp authority access URL.
	// Default: https://timestamp.sigstore.dev/api/v1/timestamp
	TimestampUrl string `protobuf:"bytes,3,opt,name=timestamp_url,json=timestampUrl,proto3" json:"timestamp_url,omitempty"`
	// OIDC provider access URL.
	// Default: https://oauth2.sigstore.dev/auth
	OidcProviderUrl string `protobuf:"bytes,4,opt,name=oidc_provider_url,json=oidcProviderUrl,proto3" json:"oidc_provider_url,omitempty"`
	// OIDC client ID.
	// Default: sigstore
	OidcClientId string `protobuf:"bytes,5,opt,name=oidc_client_id,json=oidcClientId,proto3" json:"oidc_client_id,omitempty"`
	// OIDC client secret.
	// Required for confidential OIDC clients that require client authentication.
	// Default: empty
	OidcClientSecret string `protobuf:"bytes,6,opt,name=oidc_client_secret,json=oidcClientSecret,proto3" json:"oidc_client_secret,omitempty"`
	// Skip uploading signature to transparency log (Rekor).
	// Set to true for private signing where transparency log upload is not desired.
	// Note: Signatures created with this option cannot be verified against Rekor.
	// Default: false
	SkipTlog bool `protobuf:"varint,7,opt,name=skip_tlog,json=skipTlog,proto3" json:"skip_tlog,omitempty"`
	// contains filtered or unexported fields
}

Options for OIDC-based signing.

func (*SignOptionsOIDC) Descriptor deprecated added in v1.1.0 

func (*SignOptionsOIDC) Descriptor() ([]byte, []int)

Deprecated: Use SignOptionsOIDC.ProtoReflect.Descriptor instead.

func (*SignOptionsOIDC) GetDefaultOptions added in v1.1.0 

func (x *SignOptionsOIDC) GetDefaultOptions() *SignOptionsOIDC

GetDefaultOptions returns SignOptionsOIDC with defaults applied for empty fields.

func (*SignOptionsOIDC) GetFulcioUrl added in v1.1.0 

func (x *SignOptionsOIDC) GetFulcioUrl() string

func (*SignOptionsOIDC) GetOidcClientId added in v1.1.0 

func (x *SignOptionsOIDC) GetOidcClientId() string

func (*SignOptionsOIDC) GetOidcClientSecret added in v1.1.0 

func (x *SignOptionsOIDC) GetOidcClientSecret() string

func (*SignOptionsOIDC) GetOidcProviderUrl added in v1.1.0 

func (x *SignOptionsOIDC) GetOidcProviderUrl() string

func (*SignOptionsOIDC) GetRekorUrl added in v1.1.0 

func (x *SignOptionsOIDC) GetRekorUrl() string

func (*SignOptionsOIDC) GetSkipTlog added in v1.1.0 

func (x *SignOptionsOIDC) GetSkipTlog() bool

func (*SignOptionsOIDC) GetTimestampUrl added in v1.1.0 

func (x *SignOptionsOIDC) GetTimestampUrl() string

func (*SignOptionsOIDC) ProtoMessage added in v1.1.0 

func (*SignOptionsOIDC) ProtoMessage()

func (*SignOptionsOIDC) ProtoReflect added in v1.1.0 

func (x *SignOptionsOIDC) ProtoReflect() protoreflect.Message

func (*SignOptionsOIDC) Reset added in v1.1.0 

func (x *SignOptionsOIDC) Reset()

func (*SignOptionsOIDC) String added in v1.1.0 

func (x *SignOptionsOIDC) String() string

type SignRequest 

type SignRequest struct {

	// Record reference to be signed
	RecordRef *v1.RecordRef `protobuf:"bytes,1,opt,name=record_ref,json=recordRef,proto3" json:"record_ref,omitempty"`
	// Signing provider to use
	Provider *SignRequestProvider `protobuf:"bytes,2,opt,name=provider,proto3" json:"provider,omitempty"`
	// contains filtered or unexported fields
}

func (*SignRequest) Descriptor deprecated 

func (*SignRequest) Descriptor() ([]byte, []int)

Deprecated: Use SignRequest.ProtoReflect.Descriptor instead.

func (*SignRequest) GetProvider 

func (x *SignRequest) GetProvider() *SignRequestProvider

func (*SignRequest) GetRecordRef 

func (x *SignRequest) GetRecordRef() *v1.RecordRef

func (*SignRequest) ProtoMessage 

func (*SignRequest) ProtoMessage()

func (*SignRequest) ProtoReflect 

func (x *SignRequest) ProtoReflect() protoreflect.Message

func (*SignRequest) Reset 

func (x *SignRequest) Reset()

func (*SignRequest) String 

func (x *SignRequest) String() string

type SignRequestProvider 

type SignRequestProvider struct {

	// Types that are valid to be assigned to Request:
	//
	//	*SignRequestProvider_Key
	//	*SignRequestProvider_Oidc
	Request isSignRequestProvider_Request `protobuf_oneof:"request"`
	// contains filtered or unexported fields
}

func (*SignRequestProvider) Descriptor deprecated 

func (*SignRequestProvider) Descriptor() ([]byte, []int)

Deprecated: Use SignRequestProvider.ProtoReflect.Descriptor instead.

func (*SignRequestProvider) GetKey 

func (x *SignRequestProvider) GetKey() *SignWithKey

func (*SignRequestProvider) GetOidc 

func (x *SignRequestProvider) GetOidc() *SignWithOIDC

func (*SignRequestProvider) GetRequest 

func (x *SignRequestProvider) GetRequest() isSignRequestProvider_Request

func (*SignRequestProvider) ProtoMessage 

func (*SignRequestProvider) ProtoMessage()

func (*SignRequestProvider) ProtoReflect 

func (x *SignRequestProvider) ProtoReflect() protoreflect.Message

func (*SignRequestProvider) Reset 

func (x *SignRequestProvider) Reset()

func (*SignRequestProvider) String 

func (x *SignRequestProvider) String() string

type SignRequestProvider_Key 

type SignRequestProvider_Key struct {
	// Sign with PEM-encoded public key
	Key *SignWithKey `protobuf:"bytes,1,opt,name=key,proto3,oneof"`
}

type SignRequestProvider_Oidc 

type SignRequestProvider_Oidc struct {
	// Sign with OIDC provider
	Oidc *SignWithOIDC `protobuf:"bytes,2,opt,name=oidc,proto3,oneof"`
}

type SignResponse 

type SignResponse struct {

	// Cryptographic signature of the record
	Signature *Signature `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
	// contains filtered or unexported fields
}

func (*SignResponse) Descriptor deprecated 

func (*SignResponse) Descriptor() ([]byte, []int)

Deprecated: Use SignResponse.ProtoReflect.Descriptor instead.

func (*SignResponse) GetSignature 

func (x *SignResponse) GetSignature() *Signature

func (*SignResponse) ProtoMessage 

func (*SignResponse) ProtoMessage()

func (*SignResponse) ProtoReflect 

func (x *SignResponse) ProtoReflect() protoreflect.Message

func (*SignResponse) Reset 

func (x *SignResponse) Reset()

func (*SignResponse) String 

func (x *SignResponse) String() string

type SignServiceClient 

type SignServiceClient interface {
	// Sign record using keyless OIDC based provider or
	// using PEM-encoded private key with an optional passphrase.
	Sign(ctx context.Context, in *SignRequest, opts ...grpc.CallOption) (*SignResponse, error)
	// Verify signed record using keyless OIDC based provider or
	// using PEM-encoded public key.
	Verify(ctx context.Context, in *VerifyRequest, opts ...grpc.CallOption) (*VerifyResponse, error)
}

SignServiceClient is the client API for SignService service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

SignService provides methods to sign and verify records.

NOTE: This is a client-side service and is not available on the server.

func NewSignServiceClient 

func NewSignServiceClient(cc grpc.ClientConnInterface) SignServiceClient

type SignServiceServer 

type SignServiceServer interface {
	// Sign record using keyless OIDC based provider or
	// using PEM-encoded private key with an optional passphrase.
	Sign(context.Context, *SignRequest) (*SignResponse, error)
	// Verify signed record using keyless OIDC based provider or
	// using PEM-encoded public key.
	Verify(context.Context, *VerifyRequest) (*VerifyResponse, error)
}

SignServiceServer is the server API for SignService service. All implementations should embed UnimplementedSignServiceServer for forward compatibility.

SignService provides methods to sign and verify records.

NOTE: This is a client-side service and is not available on the server.

type SignWithKey 

type SignWithKey struct {

	// Private key for signing.
	// Accepts either:
	// - PEM-encoded private key content (inline)
	// - Reference to a private key:
	//   - File path: "/path/to/cosign.key" or "./cosign.key"
	//   - HTTP(S) URL: "https://example.com/cosign.key"
	//   - Environment variable: "env://COSIGN_PRIVATE_KEY"
	//   - AWS KMS: "awskms://[ENDPOINT]/[ID/ALIAS/ARN]"
	//   - GCP KMS: "gcpkms://projects/[PROJECT]/locations/[LOC]/keyRings/[RING]/cryptoKeys/[KEY]"
	//   - Azure Key Vault: "azurekms://[VAULT_NAME][VAULT_URI]/[KEY]"
	//   - Hashicorp Vault: "hashivault://[KEY]"
	//   - Kubernetes secret: "k8s://[NAMESPACE]/[SECRET_NAME]"
	//   - PKCS11 token: "pkcs11:token=...;slot-id=...;object=..."
	//   - GitLab: "gitlab://[PROJECT]"
	PrivateKey string `protobuf:"bytes,1,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
	// Password to unlock the private key (if encrypted).
	Password []byte `protobuf:"bytes,2,opt,name=password,proto3,oneof" json:"password,omitempty"`
	// contains filtered or unexported fields
}

func (*SignWithKey) Descriptor deprecated 

func (*SignWithKey) Descriptor() ([]byte, []int)

Deprecated: Use SignWithKey.ProtoReflect.Descriptor instead.

func (*SignWithKey) GetPassword 

func (x *SignWithKey) GetPassword() []byte

func (*SignWithKey) GetPrivateKey 

func (x *SignWithKey) GetPrivateKey() string

func (*SignWithKey) ProtoMessage 

func (*SignWithKey) ProtoMessage()

func (*SignWithKey) ProtoReflect 

func (x *SignWithKey) ProtoReflect() protoreflect.Message

func (*SignWithKey) Reset 

func (x *SignWithKey) Reset()

func (*SignWithKey) String 

func (x *SignWithKey) String() string

type SignWithOIDC 

type SignWithOIDC struct {

	// Token for OIDC provider
	IdToken string `protobuf:"bytes,1,opt,name=id_token,json=idToken,proto3" json:"id_token,omitempty"`
	// Signing options for OIDC
	Options *SignOptionsOIDC `protobuf:"bytes,2,opt,name=options,proto3,oneof" json:"options,omitempty"`
	// contains filtered or unexported fields
}

func (*SignWithOIDC) Descriptor deprecated 

func (*SignWithOIDC) Descriptor() ([]byte, []int)

Deprecated: Use SignWithOIDC.ProtoReflect.Descriptor instead.

func (*SignWithOIDC) GetIdToken 

func (x *SignWithOIDC) GetIdToken() string

func (*SignWithOIDC) GetOptions 

func (x *SignWithOIDC) GetOptions() *SignOptionsOIDC

func (*SignWithOIDC) ProtoMessage 

func (*SignWithOIDC) ProtoMessage()

func (*SignWithOIDC) ProtoReflect 

func (x *SignWithOIDC) ProtoReflect() protoreflect.Message

func (*SignWithOIDC) Reset 

func (x *SignWithOIDC) Reset()

func (*SignWithOIDC) String 

func (x *SignWithOIDC) String() string

type Signature 

type Signature struct {

	// Metadata associated with the signature.
	Annotations map[string]string `` /* 149-byte string literal not displayed */
	// Signing timestamp of the record in the RFC3339 format.
	// Specs: https://www.rfc-editor.org/rfc/rfc3339.html
	SignedAt string `protobuf:"bytes,2,opt,name=signed_at,json=signedAt,proto3" json:"signed_at,omitempty"`
	// The signature algorithm used (e.g., "ECDSA_P256_SHA256").
	Algorithm string `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
	// Base64-encoded signature.
	Signature string `protobuf:"bytes,4,opt,name=signature,proto3" json:"signature,omitempty"`
	// Base64-encoded signing certificate.
	Certificate string `protobuf:"bytes,5,opt,name=certificate,proto3" json:"certificate,omitempty"`
	// Type of the signature content bundle.
	ContentType string `protobuf:"bytes,6,opt,name=content_type,json=contentType,proto3" json:"content_type,omitempty"`
	// Base64-encoded signature bundle produced by the signer.
	// It is up to the client to interpret the content of the bundle.
	ContentBundle string `protobuf:"bytes,7,opt,name=content_bundle,json=contentBundle,proto3" json:"content_bundle,omitempty"`
	// contains filtered or unexported fields
}

Signature is the signing data associated with a Record. Multiple signatures can be associated with a single Record.

Storage and management of signatures is provided via StoreService as a RecordReferrer object.

Signature can be encoded into RecordReferrer object as follows: 

type = "agntcy.dir.sign.v1.Signature"
data = Signature message encoded as JSON

func (*Signature) Descriptor deprecated 

func (*Signature) Descriptor() ([]byte, []int)

Deprecated: Use Signature.ProtoReflect.Descriptor instead.

func (*Signature) GetAlgorithm 

func (x *Signature) GetAlgorithm() string

func (*Signature) GetAnnotations 

func (x *Signature) GetAnnotations() map[string]string

func (*Signature) GetCertificate 

func (x *Signature) GetCertificate() string

func (*Signature) GetContentBundle 

func (x *Signature) GetContentBundle() string

func (*Signature) GetContentType 

func (x *Signature) GetContentType() string

func (*Signature) GetSignature 

func (x *Signature) GetSignature() string

func (*Signature) GetSignedAt 

func (x *Signature) GetSignedAt() string

func (*Signature) MarshalReferrer 

func (s *Signature) MarshalReferrer() (*corev1.RecordReferrer, error)

MarshalReferrer exports the Signature into a RecordReferrer.

func (*Signature) ProtoMessage 

func (*Signature) ProtoMessage()

func (*Signature) ProtoReflect 

func (x *Signature) ProtoReflect() protoreflect.Message

func (*Signature) ReferrerType 

func (s *Signature) ReferrerType() string

ReferrerType returns the type for Signature.

func (*Signature) Reset 

func (x *Signature) Reset()

func (*Signature) String 

func (x *Signature) String() string

func (*Signature) UnmarshalReferrer 

func (s *Signature) UnmarshalReferrer(ref *corev1.RecordReferrer) error

UnmarshalReferrer loads the Signature from a RecordReferrer.

type SignerInfo added in v1.1.0 

type SignerInfo struct {

	// Types that are valid to be assigned to Type:
	//
	//	*SignerInfo_Key
	//	*SignerInfo_Oidc
	Type isSignerInfo_Type `protobuf_oneof:"type"`
	// contains filtered or unexported fields
}

Structured information about who signed the record

func (*SignerInfo) Descriptor deprecated added in v1.1.0 

func (*SignerInfo) Descriptor() ([]byte, []int)

Deprecated: Use SignerInfo.ProtoReflect.Descriptor instead.

func (*SignerInfo) GetKey added in v1.1.0 

func (x *SignerInfo) GetKey() *SignerInfoKey

func (*SignerInfo) GetOidc added in v1.1.0 

func (x *SignerInfo) GetOidc() *SignerInfoOIDC

func (*SignerInfo) GetType added in v1.1.0 

func (x *SignerInfo) GetType() isSignerInfo_Type

func (*SignerInfo) ProtoMessage added in v1.1.0 

func (*SignerInfo) ProtoMessage()

func (*SignerInfo) ProtoReflect added in v1.1.0 

func (x *SignerInfo) ProtoReflect() protoreflect.Message

func (*SignerInfo) Reset added in v1.1.0 

func (x *SignerInfo) Reset()

func (*SignerInfo) String added in v1.1.0 

func (x *SignerInfo) String() string

type SignerInfoKey added in v1.1.0 

type SignerInfoKey struct {

	// Public key used for verification (PEM-encoded)
	PublicKey string `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
	// Key algorithm (e.g., "ECDSA-P256", "Ed25519", "RSA")
	Algorithm string `protobuf:"bytes,2,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
	// contains filtered or unexported fields
}

Information about a key-based signer

func (*SignerInfoKey) Descriptor deprecated added in v1.1.0 

func (*SignerInfoKey) Descriptor() ([]byte, []int)

Deprecated: Use SignerInfoKey.ProtoReflect.Descriptor instead.

func (*SignerInfoKey) GetAlgorithm added in v1.1.0 

func (x *SignerInfoKey) GetAlgorithm() string

func (*SignerInfoKey) GetPublicKey added in v1.1.0 

func (x *SignerInfoKey) GetPublicKey() string

func (*SignerInfoKey) ProtoMessage added in v1.1.0 

func (*SignerInfoKey) ProtoMessage()

func (*SignerInfoKey) ProtoReflect added in v1.1.0 

func (x *SignerInfoKey) ProtoReflect() protoreflect.Message

func (*SignerInfoKey) Reset added in v1.1.0 

func (x *SignerInfoKey) Reset()

func (*SignerInfoKey) String added in v1.1.0 

func (x *SignerInfoKey) String() string

type SignerInfoOIDC added in v1.1.0 

type SignerInfoOIDC struct {

	// OIDC issuer URL (e.g., "https://github.com/login/oauth")
	Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
	// OIDC subject/identity (e.g., "user@example.com")
	Subject string `protobuf:"bytes,2,opt,name=subject,proto3" json:"subject,omitempty"`
	// X.509 certificate issuer (e.g., "CN=sigstore-intermediate,O=sigstore.dev")
	CertificateIssuer string `protobuf:"bytes,3,opt,name=certificate_issuer,json=certificateIssuer,proto3" json:"certificate_issuer,omitempty"`
	// contains filtered or unexported fields
}

Information about an OIDC-based signer

func (*SignerInfoOIDC) Descriptor deprecated added in v1.1.0 

func (*SignerInfoOIDC) Descriptor() ([]byte, []int)

Deprecated: Use SignerInfoOIDC.ProtoReflect.Descriptor instead.

func (*SignerInfoOIDC) GetCertificateIssuer added in v1.1.0 

func (x *SignerInfoOIDC) GetCertificateIssuer() string

func (*SignerInfoOIDC) GetIssuer added in v1.1.0 

func (x *SignerInfoOIDC) GetIssuer() string

func (*SignerInfoOIDC) GetSubject added in v1.1.0 

func (x *SignerInfoOIDC) GetSubject() string

func (*SignerInfoOIDC) ProtoMessage added in v1.1.0 

func (*SignerInfoOIDC) ProtoMessage()

func (*SignerInfoOIDC) ProtoReflect added in v1.1.0 

func (x *SignerInfoOIDC) ProtoReflect() protoreflect.Message

func (*SignerInfoOIDC) Reset added in v1.1.0 

func (x *SignerInfoOIDC) Reset()

func (*SignerInfoOIDC) String added in v1.1.0 

func (x *SignerInfoOIDC) String() string

type SignerInfo_Key added in v1.1.0 

type SignerInfo_Key struct {
	// Key-based signer information
	Key *SignerInfoKey `protobuf:"bytes,1,opt,name=key,proto3,oneof"`
}

type SignerInfo_Oidc added in v1.1.0 

type SignerInfo_Oidc struct {
	// OIDC-based signer information
	Oidc *SignerInfoOIDC `protobuf:"bytes,2,opt,name=oidc,proto3,oneof"`
}

type UnimplementedSignServiceServer 

type UnimplementedSignServiceServer struct{}

UnimplementedSignServiceServer should be embedded to have forward compatible implementations.

NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.

func (UnimplementedSignServiceServer) Sign 

func (UnimplementedSignServiceServer) Sign(context.Context, *SignRequest) (*SignResponse, error)

func (UnimplementedSignServiceServer) Verify 

func (UnimplementedSignServiceServer) Verify(context.Context, *VerifyRequest) (*VerifyResponse, error)

type UnsafeSignServiceServer 

type UnsafeSignServiceServer interface {
	// contains filtered or unexported methods
}

UnsafeSignServiceServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to SignServiceServer will result in compilation errors.

type VerifyOptionsOIDC added in v1.1.0 

type VerifyOptionsOIDC struct {

	// TUF repository mirror URL.
	// Used to fetch trusted root material (certificates, keys) for verification.
	// Default: https://tuf-repo-cdn.sigstore.dev (public good instance)
	TufMirrorUrl string `protobuf:"bytes,1,opt,name=tuf_mirror_url,json=tufMirrorUrl,proto3" json:"tuf_mirror_url,omitempty"`
	// Path to a Sigstore TrustedRoot JSON file.
	// When provided, verification uses this file instead of fetching from TUF.
	// Required for fully offline/air-gapped verification.
	// The file contains Fulcio CAs, Rekor keys, TSA certs, and CT log keys.
	// Default: empty (uses TUF to fetch trusted root)
	TrustedRootPath string `protobuf:"bytes,2,opt,name=trusted_root_path,json=trustedRootPath,proto3" json:"trusted_root_path,omitempty"`
	// Skip transparency log (Rekor) verification.
	// Set to true for private infrastructure without Rekor,
	// or when signatures weren't uploaded to the transparency log.
	// Default: false
	IgnoreTlog bool `protobuf:"varint,3,opt,name=ignore_tlog,json=ignoreTlog,proto3" json:"ignore_tlog,omitempty"`
	// Skip timestamp authority (TSA) verification.
	// Set to true when timestamps aren't required or TSA wasn't used during signing.
	// Default: false
	IgnoreTsa bool `protobuf:"varint,4,opt,name=ignore_tsa,json=ignoreTsa,proto3" json:"ignore_tsa,omitempty"`
	// Skip Signed Certificate Timestamp (SCT) verification.
	// Set to true for private PKI where Certificate Transparency logs aren't used.
	// Default: false
	IgnoreSct bool `protobuf:"varint,5,opt,name=ignore_sct,json=ignoreSct,proto3" json:"ignore_sct,omitempty"`
	// contains filtered or unexported fields
}

Options for OIDC-based verification.

func (*VerifyOptionsOIDC) Descriptor deprecated added in v1.1.0 

func (*VerifyOptionsOIDC) Descriptor() ([]byte, []int)

Deprecated: Use VerifyOptionsOIDC.ProtoReflect.Descriptor instead.

func (*VerifyOptionsOIDC) GetDefaultOptions added in v1.1.0 

func (x *VerifyOptionsOIDC) GetDefaultOptions() *VerifyOptionsOIDC

GetDefaultOptions returns VerifyOptionsOIDC with defaults applied for empty fields.

func (*VerifyOptionsOIDC) GetIgnoreSct added in v1.1.0 

func (x *VerifyOptionsOIDC) GetIgnoreSct() bool

func (*VerifyOptionsOIDC) GetIgnoreTlog added in v1.1.0 

func (x *VerifyOptionsOIDC) GetIgnoreTlog() bool

func (*VerifyOptionsOIDC) GetIgnoreTsa added in v1.1.0 

func (x *VerifyOptionsOIDC) GetIgnoreTsa() bool

func (*VerifyOptionsOIDC) GetTrustedRootPath added in v1.1.0 

func (x *VerifyOptionsOIDC) GetTrustedRootPath() string

func (*VerifyOptionsOIDC) GetTufMirrorUrl added in v1.1.0 

func (x *VerifyOptionsOIDC) GetTufMirrorUrl() string

func (*VerifyOptionsOIDC) ProtoMessage added in v1.1.0 

func (*VerifyOptionsOIDC) ProtoMessage()

func (*VerifyOptionsOIDC) ProtoReflect added in v1.1.0 

func (x *VerifyOptionsOIDC) ProtoReflect() protoreflect.Message

func (*VerifyOptionsOIDC) Reset added in v1.1.0 

func (x *VerifyOptionsOIDC) Reset()

func (*VerifyOptionsOIDC) String added in v1.1.0 

func (x *VerifyOptionsOIDC) String() string

type VerifyRequest 

type VerifyRequest struct {

	// Record reference to be verified
	RecordRef *v1.RecordRef `protobuf:"bytes,1,opt,name=record_ref,json=recordRef,proto3" json:"record_ref,omitempty"`
	// Verification provider to use
	Provider *VerifyRequestProvider `protobuf:"bytes,2,opt,name=provider,proto3" json:"provider,omitempty"`
	// When true, use cached verification result from server.
	// When false, verification is performed locally.
	FromServer bool `protobuf:"varint,3,opt,name=from_server,json=fromServer,proto3" json:"from_server,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyRequest) Descriptor deprecated 

func (*VerifyRequest) Descriptor() ([]byte, []int)

Deprecated: Use VerifyRequest.ProtoReflect.Descriptor instead.

func (*VerifyRequest) GetFromServer added in v1.1.0 

func (x *VerifyRequest) GetFromServer() bool

func (*VerifyRequest) GetProvider added in v1.1.0 

func (x *VerifyRequest) GetProvider() *VerifyRequestProvider

func (*VerifyRequest) GetRecordRef 

func (x *VerifyRequest) GetRecordRef() *v1.RecordRef

func (*VerifyRequest) ProtoMessage 

func (*VerifyRequest) ProtoMessage()

func (*VerifyRequest) ProtoReflect 

func (x *VerifyRequest) ProtoReflect() protoreflect.Message

func (*VerifyRequest) Reset 

func (x *VerifyRequest) Reset()

func (*VerifyRequest) String 

func (x *VerifyRequest) String() string

type VerifyRequestProvider added in v1.1.0 

type VerifyRequestProvider struct {

	// Types that are valid to be assigned to Request:
	//
	//	*VerifyRequestProvider_Key
	//	*VerifyRequestProvider_Oidc
	//	*VerifyRequestProvider_Any
	Request isVerifyRequestProvider_Request `protobuf_oneof:"request"`
	// contains filtered or unexported fields
}

func (*VerifyRequestProvider) Descriptor deprecated added in v1.1.0 

func (*VerifyRequestProvider) Descriptor() ([]byte, []int)

Deprecated: Use VerifyRequestProvider.ProtoReflect.Descriptor instead.

func (*VerifyRequestProvider) GetAny added in v1.1.0 

func (x *VerifyRequestProvider) GetAny() *VerifyWithAny

func (*VerifyRequestProvider) GetKey added in v1.1.0 

func (x *VerifyRequestProvider) GetKey() *VerifyWithKey

func (*VerifyRequestProvider) GetOidc added in v1.1.0 

func (x *VerifyRequestProvider) GetOidc() *VerifyWithOIDC

func (*VerifyRequestProvider) GetRequest added in v1.1.0 

func (x *VerifyRequestProvider) GetRequest() isVerifyRequestProvider_Request

func (*VerifyRequestProvider) ProtoMessage added in v1.1.0 

func (*VerifyRequestProvider) ProtoMessage()

func (*VerifyRequestProvider) ProtoReflect added in v1.1.0 

func (x *VerifyRequestProvider) ProtoReflect() protoreflect.Message

func (*VerifyRequestProvider) Reset added in v1.1.0 

func (x *VerifyRequestProvider) Reset()

func (*VerifyRequestProvider) String added in v1.1.0 

func (x *VerifyRequestProvider) String() string

type VerifyRequestProvider_Any added in v1.1.0 

type VerifyRequestProvider_Any struct {
	// Verify implicitly without providing any key or OIDC information.
	// This will attempt to verify any signature found on the record.
	// This is useful for verifying records that have been signed and have signatures attached,
	// without needing to verify against a specific key or OIDC identity.
	Any *VerifyWithAny `protobuf:"bytes,3,opt,name=any,proto3,oneof"`
}

type VerifyRequestProvider_Key added in v1.1.0 

type VerifyRequestProvider_Key struct {
	// Verify with PEM-encoded public key
	Key *VerifyWithKey `protobuf:"bytes,1,opt,name=key,proto3,oneof"`
}

type VerifyRequestProvider_Oidc added in v1.1.0 

type VerifyRequestProvider_Oidc struct {
	// Verify with OIDC provider
	Oidc *VerifyWithOIDC `protobuf:"bytes,2,opt,name=oidc,proto3,oneof"`
}

type VerifyResponse 

type VerifyResponse struct {

	// The verify process result
	Success bool `protobuf:"varint,1,opt,name=success,proto3" json:"success,omitempty"`
	// List of all signers that signed the record.
	// Each entry represents one valid signature on the record.
	Signers []*SignerInfo `protobuf:"bytes,2,rep,name=signers,proto3" json:"signers,omitempty"`
	// Optional error message if verification failed
	ErrorMessage *string `protobuf:"bytes,3,opt,name=error_message,json=errorMessage,proto3,oneof" json:"error_message,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyResponse) Descriptor deprecated 

func (*VerifyResponse) Descriptor() ([]byte, []int)

Deprecated: Use VerifyResponse.ProtoReflect.Descriptor instead.

func (*VerifyResponse) GetErrorMessage 

func (x *VerifyResponse) GetErrorMessage() string

func (*VerifyResponse) GetSigners added in v1.1.0 

func (x *VerifyResponse) GetSigners() []*SignerInfo

func (*VerifyResponse) GetSuccess 

func (x *VerifyResponse) GetSuccess() bool

func (*VerifyResponse) ProtoMessage 

func (*VerifyResponse) ProtoMessage()

func (*VerifyResponse) ProtoReflect 

func (x *VerifyResponse) ProtoReflect() protoreflect.Message

func (*VerifyResponse) Reset 

func (x *VerifyResponse) Reset()

func (*VerifyResponse) String 

func (x *VerifyResponse) String() string

type VerifyWithAny added in v1.1.0 

type VerifyWithAny struct {

	// Verification options for OIDC.
	// This is used to verify only OIDC signatures on the record.
	// For key-based signatures, this field is ignored.
	OidcOptions *VerifyOptionsOIDC `protobuf:"bytes,1,opt,name=oidc_options,json=oidcOptions,proto3,oneof" json:"oidc_options,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyWithAny) Descriptor deprecated added in v1.1.0 

func (*VerifyWithAny) Descriptor() ([]byte, []int)

Deprecated: Use VerifyWithAny.ProtoReflect.Descriptor instead.

func (*VerifyWithAny) GetOidcOptions added in v1.1.0 

func (x *VerifyWithAny) GetOidcOptions() *VerifyOptionsOIDC

func (*VerifyWithAny) ProtoMessage added in v1.1.0 

func (*VerifyWithAny) ProtoMessage()

func (*VerifyWithAny) ProtoReflect added in v1.1.0 

func (x *VerifyWithAny) ProtoReflect() protoreflect.Message

func (*VerifyWithAny) Reset added in v1.1.0 

func (x *VerifyWithAny) Reset()

func (*VerifyWithAny) String added in v1.1.0 

func (x *VerifyWithAny) String() string

type VerifyWithKey added in v1.1.0 

type VerifyWithKey struct {

	// Public key to verify against.
	// Accepts either:
	// - PEM-encoded public key content (inline)
	// - Reference to a public key:
	//   - File path: "/path/to/cosign.pub" or "./cosign.pub"
	//   - HTTP(S) URL: "https://example.com/cosign.pub"
	//   - Environment variable: "env://COSIGN_PUBLIC_KEY"
	//   - AWS KMS: "awskms://[ENDPOINT]/[ID/ALIAS/ARN]"
	//   - GCP KMS: "gcpkms://projects/[PROJECT]/locations/[LOC]/keyRings/[RING]/cryptoKeys/[KEY]"
	//   - Azure Key Vault: "azurekms://[VAULT_NAME][VAULT_URI]/[KEY]"
	//   - Hashicorp Vault: "hashivault://[KEY]"
	//   - Kubernetes secret: "k8s://[NAMESPACE]/[SECRET_NAME]"
	//   - PKCS11 token: "pkcs11:token=...;slot-id=...;object=..."
	//   - GitLab: "gitlab://[PROJECT]"
	PublicKey string `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyWithKey) Descriptor deprecated added in v1.1.0 

func (*VerifyWithKey) Descriptor() ([]byte, []int)

Deprecated: Use VerifyWithKey.ProtoReflect.Descriptor instead.

func (*VerifyWithKey) GetPublicKey added in v1.1.0 

func (x *VerifyWithKey) GetPublicKey() string

func (*VerifyWithKey) ProtoMessage added in v1.1.0 

func (*VerifyWithKey) ProtoMessage()

func (*VerifyWithKey) ProtoReflect added in v1.1.0 

func (x *VerifyWithKey) ProtoReflect() protoreflect.Message

func (*VerifyWithKey) Reset added in v1.1.0 

func (x *VerifyWithKey) Reset()

func (*VerifyWithKey) String added in v1.1.0 

func (x *VerifyWithKey) String() string

type VerifyWithOIDC added in v1.1.0 

type VerifyWithOIDC struct {

	// OIDC issuer URL.
	// Accepts exact match or regular expression (e.g., "https://github.com/login/oauth")
	Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
	// OIDC subject/identity.
	// Accepts exact match or regular expression (e.g., "user@example.com")
	Subject string `protobuf:"bytes,2,opt,name=subject,proto3" json:"subject,omitempty"`
	// Verification options for OIDC
	Options *VerifyOptionsOIDC `protobuf:"bytes,3,opt,name=options,proto3,oneof" json:"options,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyWithOIDC) Descriptor deprecated added in v1.1.0 

func (*VerifyWithOIDC) Descriptor() ([]byte, []int)

Deprecated: Use VerifyWithOIDC.ProtoReflect.Descriptor instead.

func (*VerifyWithOIDC) GetIssuer added in v1.1.0 

func (x *VerifyWithOIDC) GetIssuer() string

func (*VerifyWithOIDC) GetOptions added in v1.1.0 

func (x *VerifyWithOIDC) GetOptions() *VerifyOptionsOIDC

func (*VerifyWithOIDC) GetSubject added in v1.1.0 

func (x *VerifyWithOIDC) GetSubject() string

func (*VerifyWithOIDC) ProtoMessage added in v1.1.0 

func (*VerifyWithOIDC) ProtoMessage()

func (*VerifyWithOIDC) ProtoReflect added in v1.1.0 

func (x *VerifyWithOIDC) ProtoReflect() protoreflect.Message

func (*VerifyWithOIDC) Reset added in v1.1.0 

func (x *VerifyWithOIDC) Reset()

func (*VerifyWithOIDC) String added in v1.1.0 

func (x *VerifyWithOIDC) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.