Documentation
¶
Index ¶
Constants ¶
View Source
const GitHubTimeStamperURL = "https://timestamp.githubapp.com/api/v1/timestamp"
View Source
const SigstorePublicGoodBaseURL = "https://tuf-repo-cdn.sigstore.dev"
Variables ¶
View Source
var DefaultSignerOptions = SignerOptions{ TufOptions: TufOptions{ TufRootURL: SigstorePublicGoodBaseURL, TufRootPath: "", Fetcher: defaultfetcher(), }, Timestamp: true, AppendToRekor: true, OidcRedirectURL: "http://localhost:0/auth/callback", OidcIssuer: "https://oauth2.sigstore.dev/auth", OidcClientID: "sigstore", }
View Source
var DefaultVerifierOptions = VerificationOptions{ TufOptions: TufOptions{ TufRootURL: SigstorePublicGoodBaseURL, TufRootPath: "", Fetcher: defaultfetcher(), }, ArtifactDigestAlgo: "sha256", RequireCTlog: true, RequireTimestamp: true, RequireTlog: true, }
Functions ¶
func GetTufClient ¶
func GetTufClient(opts *TufOptions) (*tuf.Client, error)
GetTufClient returns a TUF client configured with the options
func GetTufRoot ¶
func GetTufRoot(opts *TufOptions) ([]byte, error)
GetTufRoot fetches the trusted root from the configured URL or from the sigstore public instance.
Types ¶
type BundleSigner ¶
type BundleSigner interface {
VerifyContent(*SignerOptions, []byte) error
WrapStatement([]byte) *sign.DSSEData
GetKeyPair(*SignerOptions) (*sign.EphemeralKeypair, error)
GetAmbienTokens(*SignerOptions) error
GetOidcToken(*SignerOptions) error
BuildSigstoreSignerOptions(*SignerOptions) (*sign.BundleOptions, error)
SignBundle(content sign.Content, keypair sign.Keypair, opts *sign.BundleOptions) (*v1.Bundle, error)
}
BundleSigner abstracts the signer implementation to make it easy to mock
type BundleVerifier ¶
type BundleVerifier interface {
OpenBundle(string) (*bundle.Bundle, error)
BuildSigstoreVerifier(*VerificationOptions) (VerifyCapable, error)
RunVerification(*VerificationOptions, VerifyCapable, *bundle.Bundle) (*verify.VerificationResult, error)
}
BundleVerifier abstracts the verification implementation to make it easy to mock for testing.
type Signer ¶
type Signer struct {
Options SignerOptions
// contains filtered or unexported fields
}
func (*Signer) SignStatement ¶
SignStatement signs a statement using the configured options and returns a bundle. The signing process will try to obtain the signer identity in this order:
- Try the configured ambient credentials providers (currently only the GitHub actions plugin is supported).
- If a terminal is detected, it will start the sigstore oidc flow in a browser.
- If no terminal is detected, it will start the sigstore device flow.
type SignerOptions ¶
type SignerOptions struct {
TufOptions
Token *oauthflow.OIDCIDToken
Timestamp bool
AppendToRekor bool
DisableSTS bool
// OidcRedirectURL defines the URL that the browser will redirect to.
// if the port is set to 0, bind will randomize it to a high number
// port before starting the OIDC flow.
OidcRedirectURL string
OidcIssuer string
OidcClientID string
OidcClientSecret string
}
SignerOptions
func (*SignerOptions) Validate ¶
func (so *SignerOptions) Validate() error
type TufOptions ¶
TufOptions captures the TUF options handled by bind
type VerificationOptions ¶
type Verifier ¶
type Verifier struct {
Options VerificationOptions
// contains filtered or unexported fields
}
func NewVerifier ¶
func NewVerifier() *Verifier
func (*Verifier) VerifyBundle ¶
func (v *Verifier) VerifyBundle(bundlePath string) (*verify.VerificationResult, error)
VerifyBundle verifies a signed bundle containing a dsse envelope
func (*Verifier) VerifyInlineBundle ¶
func (v *Verifier) VerifyInlineBundle(bundleContents []byte) (*verify.VerificationResult, error)
VerifyBundle verifies a signed bundle containing a dsse envelope
type VerifyCapable ¶
type VerifyCapable interface {
Verify(verify.SignedEntity, verify.PolicyBuilder) (*verify.VerificationResult, error)
}
Source Files
Click to show internal directories.
Click to hide internal directories.