bnd

package
v0.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 25, 2025 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const GitHubTimeStamperURL = "https://timestamp.githubapp.com/api/v1/timestamp"
View Source 
const SigstorePublicGoodBaseURL = "https://tuf-repo-cdn.sigstore.dev"

Variables

View Source 
var DefaultSignerOptions = SignerOptions{
	TufOptions: TufOptions{
		TufRootURL:  SigstorePublicGoodBaseURL,
		TufRootPath: "",
		Fetcher:     defaultfetcher(),
	},
	Timestamp:     true,
	AppendToRekor: true,

	OidcRedirectURL: "http://localhost:0/auth/callback",
	OidcIssuer:      "https://oauth2.sigstore.dev/auth",
	OidcClientID:    "sigstore",
}
View Source 
var DefaultVerifierOptions = VerificationOptions{
	TufOptions: TufOptions{
		TufRootURL:  SigstorePublicGoodBaseURL,
		TufRootPath: "",
		Fetcher:     defaultfetcher(),
	},
	ArtifactDigestAlgo: "sha256",
	RequireCTlog:       true,
	RequireTimestamp:   true,
	RequireTlog:        true,
}

Functions

func GetTufClient 

func GetTufClient(opts *TufOptions) (*tuf.Client, error)

GetTufClient returns a TUF client configured with the options

func GetTufRoot 

func GetTufRoot(opts *TufOptions) ([]byte, error)

GetTufRoot fetches the trusted root from the configured URL or from the sigstore public instance.

Types

type BundleSigner 

type BundleSigner interface {
	VerifyContent(*SignerOptions, []byte) error
	WrapStatement([]byte) *sign.DSSEData
	GetKeyPair(*SignerOptions) (*sign.EphemeralKeypair, error)
	GetAmbienTokens(*SignerOptions) error
	GetOidcToken(*SignerOptions) error
	BuildSigstoreSignerOptions(*SignerOptions) (*sign.BundleOptions, error)
	SignBundle(content sign.Content, keypair sign.Keypair, opts *sign.BundleOptions) (*v1.Bundle, error)
}

BundleSigner abstracts the signer implementation to make it easy to mock

type BundleVerifier 

type BundleVerifier interface {
	OpenBundle(string) (*bundle.Bundle, error)
	BuildSigstoreVerifier(*VerificationOptions) (VerifyCapable, error)
	RunVerification(*VerificationOptions, VerifyCapable, *bundle.Bundle) (*verify.VerificationResult, error)
}

BundleVerifier abstracts the verification implementation to make it easy to mock for testing.

type Signer 

type Signer struct {
	Options SignerOptions
	// contains filtered or unexported fields
}

func NewSigner 

func NewSigner() *Signer

func (*Signer) SignStatement 

func (s *Signer) SignStatement(data []byte) (*v1.Bundle, error)

SignStatement signs a statement using the configured options and returns a bundle. The signing process will try to obtain the signer identity in this order:

  1. Try the configured ambient credentials providers (currently only the GitHub actions plugin is supported).
  2. If a terminal is detected, it will start the sigstore oidc flow in a browser.
  3. If no terminal is detected, it will start the sigstore device flow.

func (*Signer) WriteBundle 

func (s *Signer) WriteBundle(bndl *v1.Bundle, w io.Writer) error

WriteBundle writes the bundle JSON to

type SignerOptions 

type SignerOptions struct {
	TufOptions
	Token         *oauthflow.OIDCIDToken
	Timestamp     bool
	AppendToRekor bool
	DisableSTS    bool

	// OidcRedirectURL defines the URL that the browser will redirect to.
	// if the port is set to 0, bind will randomize it to a high number
	// port before starting the OIDC flow.
	OidcRedirectURL  string
	OidcIssuer       string
	OidcClientID     string
	OidcClientSecret string
}

SignerOptions

func (*SignerOptions) Validate 

func (so *SignerOptions) Validate() error

type TufOptions 

type TufOptions struct {
	Fetcher     fetcher.Fetcher
	TufRootPath string
	TufRootURL  string
}

TufOptions captures the TUF options handled by bind

type VerificationOptions 

type VerificationOptions struct {
	TufOptions
	ArtifactDigest      string
	ArtifactDigestAlgo  string
	ExpectedIssuer      string
	ExpectedIssuerRegex string
	ExpectedSan         string
	ExpectedSanRegex    string
	SkipIdentityCheck   bool
	RequireCTlog        bool
	RequireTimestamp    bool
	RequireTlog         bool
}

type Verifier 

type Verifier struct {
	Options VerificationOptions
	// contains filtered or unexported fields
}

func NewVerifier 

func NewVerifier() *Verifier

func (*Verifier) VerifyBundle 

func (v *Verifier) VerifyBundle(bundlePath string) (*verify.VerificationResult, error)

VerifyBundle verifies a signed bundle containing a dsse envelope

func (*Verifier) VerifyInlineBundle 

func (v *Verifier) VerifyInlineBundle(bundleContents []byte) (*verify.VerificationResult, error)

VerifyBundle verifies a signed bundle containing a dsse envelope

func (*Verifier) VerifyParsedBundle added in v0.1.4 

func (v *Verifier) VerifyParsedBundle(bndl *bundle.Bundle) (*verify.VerificationResult, error)

type VerifyCapable 

type VerifyCapable interface {
	Verify(verify.SignedEntity, verify.PolicyBuilder) (*verify.VerificationResult, error)
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.