sourceintegrity

package
v3.5.0-rc2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	TrustUnknown  = "unknown"
	TrustNone     = "never"
	TrustMarginal = "marginal"
	TrustFull     = "full"
	TrustUltimate = "ultimate"
)

Key trust values

Variables

This section is empty.

Functions

func CommitSignatureError

func CommitSignatureError(verifyCommit bool, gitClient git.Client, revision string, repo *appsv1.Repository) error

TODO: Remove deprecated https://github.com/argoproj/argo-cd/issues/27695

func DeletePGPKey

func DeletePGPKey(keyID string) error

DeletePGPKey deletes a key from our GnuPG key ring

func GetInstalledPGPKeys

func GetInstalledPGPKeys(kids []string) ([]*appsv1.GnuPGPublicKey, error)

GetInstalledPGPKeys runs gpg to retrieve public keys from our keyring. If kids is non-empty, limit result to those key IDs

func HasCriteria

func HasCriteria(si *v1alpha1.SourceIntegrity, sources ...v1alpha1.ApplicationSource) bool

HasCriteria determines if any of the sources have some criteria declared

func ImportPGPKeys

func ImportPGPKeys(keyFile string) ([]*appsv1.GnuPGPublicKey, error)

ImportPGPKeys imports one or more keys from a file into the local keyring and optionally signs them with the transient private key for leveraging the trust DB.

func ImportPGPKeysFromString

func ImportPGPKeysFromString(keyData string) ([]*appsv1.GnuPGPublicKey, error)

func InitializeGnuPG

func InitializeGnuPG() error

InitializeGnuPG will initialize a GnuPG working directory and also create a transient private key so that the trust DB will work correctly.

func IsGPGEnabled

func IsGPGEnabled() bool

IsGPGEnabled returns true if the GPG feature is enabled

func IsLongKeyID

func IsLongKeyID(k string) bool

IsLongKeyID returns true if the string represents a long key ID (aka fingerprint)

func IsSecretKey

func IsSecretKey(keyID string) (bool, error)

IsSecretKey returns true if the keyID also has a private key in the keyring

func IsShortKeyID

func IsShortKeyID(k string) bool

IsShortKeyID returns true if the string represents a short key ID

func KeyID

func KeyID(k string) (string, error)

KeyID get the actual correct (short) key ID from either a fingerprint or the key ID. Errors if it is not a valid GnuPG key ID.

func SetPGPTrustLevel

func SetPGPTrustLevel(pgpKeys []*appsv1.GnuPGPublicKey, trustLevel string) error

SetPGPTrustLevel sets the given trust level on specified keys

func SetPGPTrustLevelById

func SetPGPTrustLevelById(kids []string, trustLevel string) error

SetPGPTrustLevelById sets the given trust level on keys with specified key IDs

func SyncKeyRingFromDirectory

func SyncKeyRingFromDirectory(basePath string) ([]string, []string, error)

SyncKeyRingFromDirectory will sync the GPG keyring with files in a directory. This is a one-way sync, with the configuration being the leading information. Files must have a file name matching their Key ID. Keys that are found in the directory but are not in the keyring will be installed to the keyring, files that exist in the keyring but do not exist in the directory will be deleted.

func ValidatePGPKeys

func ValidatePGPKeys(keyFile string) (map[string]*appsv1.GnuPGPublicKey, error)

ValidatePGPKeys validates whether the keys in keyFile are valid PGP keys and can be imported It does so by importing them into a temporary keyring. The returned keys are complete, that is, they contain all relevant information

func ValidatePGPKeysFromString

func ValidatePGPKeysFromString(keyData string) (map[string]*appsv1.GnuPGPublicKey, error)

func VerifyGit

func VerifyGit(si *v1alpha1.SourceIntegrity, gitClient git.Client, verifiedRevision string) (*v1alpha1.SourceIntegrityCheckResult, string, error)

VerifyGit makes sure the git repository satisfies the criteria declared. It returns nil in case there were no relevant criteria, a check result if there were. The verifiedRevision is expected to be either an annotated tag to a resolved commit sha - the revision, its signature is being verified.

func VerifyGnuPGSignature

func VerifyGnuPGSignature(revision string, validKeys []string, verifyResult string) (condition *appsv1.ApplicationCondition)

TODO: Remove deprecated https://github.com/argoproj/argo-cd/issues/27695

Types

type PGPKeyID

type PGPKeyID string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL