v1

package
v0.4.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 17, 2026 License: Apache-2.0 Imports: 13 Imported by: 4

Documentation

Index

Constants

View Source 
const (
	SigstoreModeExact  string = "exact"
	SigstoreModeRegexp string = "regexp"
)

Variables

View Source 
var File_carabiner_signer_v1_identity_proto protoreflect.FileDescriptor
View Source 
var File_carabiner_signer_v1_signer_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type Identity 

type Identity struct {
	Id       string            `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	Sigstore *IdentitySigstore `protobuf:"bytes,2,opt,name=sigstore,proto3,oneof" json:"sigstore,omitempty"`
	Key      *IdentityKey      `protobuf:"bytes,3,opt,name=key,proto3,oneof" json:"key,omitempty"`
	Ref      *IdentityRef      `protobuf:"bytes,4,opt,name=ref,proto3,oneof" json:"ref,omitempty"`
	// contains filtered or unexported fields
}

Identity captures a signer identity. An identity can one of: 

a) A sigstore identity
b) A key
c) A reference to an identity defined outside the policy

func NewIdentityFromSlug added in v0.3.4 

func NewIdentityFromSlug(slug string) (*Identity, error)

NewIdentityFromSlug returns a new identity by parsing a slug string.

There are three kinds of identities supported: sigstore, key and reference.

func (*Identity) Descriptor deprecated 

func (*Identity) Descriptor() ([]byte, []int)

Deprecated: Use Identity.ProtoReflect.Descriptor instead.

func (*Identity) GetId 

func (x *Identity) GetId() string

func (*Identity) GetKey 

func (x *Identity) GetKey() *IdentityKey

func (*Identity) GetRef 

func (x *Identity) GetRef() *IdentityRef

func (*Identity) GetSigstore 

func (x *Identity) GetSigstore() *IdentitySigstore

func (*Identity) ProtoMessage 

func (*Identity) ProtoMessage()

func (*Identity) ProtoReflect 

func (x *Identity) ProtoReflect() protoreflect.Message

func (*Identity) PublicKey added in v0.3.4 

func (i *Identity) PublicKey() (key.PublicKeyProvider, error)

PublicKey returns the identity public key by parsing the data if set. It uses ParsePublicKeyProvider to preserve full key metadata (e.g. GPG key IDs and subkeys) required for PGP signature verification.

func (*Identity) Reset 

func (x *Identity) Reset()

func (*Identity) Slug added in v0.3.4 

func (i *Identity) Slug() string

Slug returns a string representing the identity

func (*Identity) String 

func (x *Identity) String() string

func (*Identity) Validate added in v0.3.4 

func (i *Identity) Validate() error

Validate checks the integrity of the identity and returns an error if fields are missing or invalid

type IdentityKey 

type IdentityKey struct {
	Id                 string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`                                                           // Key ID
	Type               string `protobuf:"bytes,2,opt,name=type,proto3" json:"type,omitempty"`                                                       // Identity type
	Data               string `protobuf:"bytes,3,opt,name=data,proto3" json:"data,omitempty"`                                                       // Public key data
	SigningFingerprint string `protobuf:"bytes,4,opt,name=signing_fingerprint,json=signingFingerprint,proto3" json:"signing_fingerprint,omitempty"` // Fingerprint of the signing subkey
	// contains filtered or unexported fields
}

IdentityKey registers the data of a key used to sign attestations.

func IdentityKeyFromPublic added in v0.4.5 

func IdentityKeyFromPublic(pub *key.Public) *IdentityKey

IdentityKeyFromPublic builds an IdentityKey from a verified *key.Public. It copies the key Id, Scheme (as Type) and — critically for GPG — the SigningKeyFingerprint populated during verification, so the resulting IdentityKey names the actual signing (sub)key rather than just the primary/identity key.

func (*IdentityKey) Descriptor deprecated 

func (*IdentityKey) Descriptor() ([]byte, []int)

Deprecated: Use IdentityKey.ProtoReflect.Descriptor instead.

func (*IdentityKey) GetData 

func (x *IdentityKey) GetData() string

func (*IdentityKey) GetId 

func (x *IdentityKey) GetId() string

func (*IdentityKey) GetSigningFingerprint added in v0.4.5 

func (x *IdentityKey) GetSigningFingerprint() string

func (*IdentityKey) GetType 

func (x *IdentityKey) GetType() string

func (*IdentityKey) Normalize added in v0.4.0 

func (ik *IdentityKey) Normalize() error

Normalize populates empty Type and Id fields by parsing the key Data. This ensures identities defined with only key material (e.g. a GPG key block) have their Id and Type resolved before matching.

func (*IdentityKey) ProtoMessage 

func (*IdentityKey) ProtoMessage()

func (*IdentityKey) ProtoReflect 

func (x *IdentityKey) ProtoReflect() protoreflect.Message

func (*IdentityKey) Reset 

func (x *IdentityKey) Reset()

func (*IdentityKey) String 

func (x *IdentityKey) String() string

type IdentityRef 

type IdentityRef struct {
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// contains filtered or unexported fields
}

IdentityRef represents an identity defined outside of the policy. Most commonly these identities will be defined at the policy set level to have a common definition that can be reused by all policies in a set.

func (*IdentityRef) Descriptor deprecated 

func (*IdentityRef) Descriptor() ([]byte, []int)

Deprecated: Use IdentityRef.ProtoReflect.Descriptor instead.

func (*IdentityRef) GetId 

func (x *IdentityRef) GetId() string

func (*IdentityRef) ProtoMessage 

func (*IdentityRef) ProtoMessage()

func (*IdentityRef) ProtoReflect 

func (x *IdentityRef) ProtoReflect() protoreflect.Message

func (*IdentityRef) Reset 

func (x *IdentityRef) Reset()

func (*IdentityRef) String 

func (x *IdentityRef) String() string

type IdentitySigstore 

type IdentitySigstore struct {
	Mode     *string `protobuf:"bytes,1,opt,name=mode,proto3,oneof" json:"mode,omitempty"`   // exact | regexp
	Issuer   string  `protobuf:"bytes,2,opt,name=issuer,proto3" json:"issuer,omitempty"`     // https://accounts.google.com
	Identity string  `protobuf:"bytes,3,opt,name=identity,proto3" json:"identity,omitempty"` //  "identity": "puerco@gmail.com"
	// contains filtered or unexported fields
}

IdentitySigstore represents the identity data in a Fulcio cert.

func (*IdentitySigstore) Descriptor deprecated 

func (*IdentitySigstore) Descriptor() ([]byte, []int)

Deprecated: Use IdentitySigstore.ProtoReflect.Descriptor instead.

func (*IdentitySigstore) GetIdentity 

func (x *IdentitySigstore) GetIdentity() string

func (*IdentitySigstore) GetIssuer 

func (x *IdentitySigstore) GetIssuer() string

func (*IdentitySigstore) GetMode 

func (x *IdentitySigstore) GetMode() string

func (*IdentitySigstore) ProtoMessage 

func (*IdentitySigstore) ProtoMessage()

func (*IdentitySigstore) ProtoReflect 

func (x *IdentitySigstore) ProtoReflect() protoreflect.Message

func (*IdentitySigstore) Reset 

func (x *IdentitySigstore) Reset()

func (*IdentitySigstore) String 

func (x *IdentitySigstore) String() string

type SignatureVerification 

type SignatureVerification struct {

	// Date when the verification was performed
	Date *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=date,proto3" json:"date,omitempty"`
	// SignatureVerified is set to true when a hash's signature was verified
	// with at least one key or cert. Verified does not imply any identity check.
	Verified bool `protobuf:"varint,2,opt,name=verified,proto3" json:"verified,omitempty"`
	// Identities has a list of the identities (sigstore signers or keys)
	// that signed the object.
	Identities []*Identity `protobuf:"bytes,3,rep,name=Identities,proto3" json:"Identities,omitempty"`
	// Message is an optional message that can be populated when a verification
	// was performed successfully.
	Message string `protobuf:"bytes,4,opt,name=message,proto3" json:"message,omitempty"`
	// Error is a message explaining why verification failed.
	Error string `protobuf:"bytes,5,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

func (*SignatureVerification) Descriptor deprecated 

func (*SignatureVerification) Descriptor() ([]byte, []int)

Deprecated: Use SignatureVerification.ProtoReflect.Descriptor instead.

func (*SignatureVerification) GetDate 

func (x *SignatureVerification) GetDate() *timestamppb.Timestamp

func (*SignatureVerification) GetError 

func (x *SignatureVerification) GetError() string

func (*SignatureVerification) GetIdentities 

func (x *SignatureVerification) GetIdentities() []*Identity

func (*SignatureVerification) GetMessage 

func (x *SignatureVerification) GetMessage() string

func (*SignatureVerification) GetVerified 

func (x *SignatureVerification) GetVerified() bool

func (*SignatureVerification) MatchesIdentity added in v0.3.4 

func (sv *SignatureVerification) MatchesIdentity(id *Identity) bool

HasIdentity returns true if one of the verifiers matches the passed identity

func (*SignatureVerification) MatchesKeyIdentity added in v0.3.4 

func (sv *SignatureVerification) MatchesKeyIdentity(keyIdentity *IdentityKey) bool

MatchesKeyIdentity returns true if one of the verified signatures was performed with the specified key. Matching rules:

  • Id (required): compared against both the signer's primary key Id and its signing subkey fingerprint — a policy can name a GPG identity by either its primary or its signing subkey.
  • Type (optional): narrows the match when both sides set it.
  • SigningFingerprint (optional): additional pin requiring the signer's subkey fingerprint to match exactly. Useful for policies that accept a key's identity but constrain which subkey is authorized.

Id and SigningFingerprint comparisons are case-insensitive since hex fingerprints appear in both cases in the wild. If the identity has Data but no Id, Normalize is called first to populate it.

func (*SignatureVerification) MatchesSigstoreIdentity added in v0.3.4 

func (sv *SignatureVerification) MatchesSigstoreIdentity(id *IdentitySigstore) bool

HasIdentity returns true if one of the verifiers matches the passed sigstore identity.

func (*SignatureVerification) ProtoMessage 

func (*SignatureVerification) ProtoMessage()

func (*SignatureVerification) ProtoReflect 

func (x *SignatureVerification) ProtoReflect() protoreflect.Message

func (*SignatureVerification) Reset 

func (x *SignatureVerification) Reset()

func (*SignatureVerification) String 

func (x *SignatureVerification) String() string

type Verification 

type Verification struct {
	Signature *SignatureVerification `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
	// contains filtered or unexported fields
}

Results of the signature verification process

func (*Verification) Descriptor deprecated 

func (*Verification) Descriptor() ([]byte, []int)

Deprecated: Use Verification.ProtoReflect.Descriptor instead.

func (*Verification) Error added in v0.3.4 

func (v *Verification) Error() string

Error implements the Go error interface when verification fails

func (*Verification) GetSignature 

func (x *Verification) GetSignature() *SignatureVerification

func (*Verification) GetVerified added in v0.3.4 

func (v *Verification) GetVerified() bool

GetVerified returns true if verification passed

func (*Verification) MatchesIdentity added in v0.3.4 

func (v *Verification) MatchesIdentity(rawID any) bool

MatchesIdentity returns true if one of the verified signatures matches the identity.

func (*Verification) ProtoMessage 

func (*Verification) ProtoMessage()

func (*Verification) ProtoReflect 

func (x *Verification) ProtoReflect() protoreflect.Message

func (*Verification) Reset 

func (x *Verification) Reset()

func (*Verification) String 

func (x *Verification) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.