options

package
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 28, 2025 License: Apache-2.0 Imports: 6 Imported by: 3

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var DefaultSign = Sign{
	PayloadType: "application/octet-stream",
}
View Source 
var DefaultSigner = Signer{
	TufOptions: tuf.TufOptions{
		TufRootURL:  tuf.SigstorePublicGoodBaseURL,
		TufRootPath: "",
		Fetcher:     tuf.Defaultfetcher(),
	},
	Timestamp:     true,
	AppendToRekor: true,

	OidcRedirectURL: "http://localhost:0/auth/callback",
	OidcIssuer:      "https://oauth2.sigstore.dev/auth",
	OidcClientID:    "sigstore",
}
View Source 
var DefaultVerifier = Verifier{
	TufOptions: tuf.TufOptions{
		TufRootURL:  tuf.SigstorePublicGoodBaseURL,
		TufRootPath: "",
		Fetcher:     tuf.Defaultfetcher(),
	},
	ArtifactDigestAlgo: "sha256",
	RequireCTlog:       true,
	RequireTimestamp:   true,
	RequireTlog:        true,
}

Functions

This section is empty.

Types

type Sign 

type Sign struct {
	// PayloadType is the payload type to be declared in DSSE envelopes
	PayloadType string
}

Sign options (not to be confused with signer options) are options that control each signing operation behavior.

type SignOptFn 

type SignOptFn = func(*Sign) error

func WithPayloadType 

func WithPayloadType(t string) SignOptFn

WithPayloadType sets the DSSE payload type

type Signer 

type Signer struct {
	tuf.TufOptions
	Token         *oauthflow.OIDCIDToken
	Timestamp     bool
	AppendToRekor bool
	DisableSTS    bool

	// OidcRedirectURL defines the URL that the browser will redirect to.
	// if the port is set to 0, bind will randomize it to a high number
	// port before starting the OIDC flow.
	OidcRedirectURL  string
	OidcIssuer       string
	OidcClientID     string
	OidcClientSecret string
}

Signer

func (*Signer) Validate 

func (so *Signer) Validate() error

Validate checks the signer options

type Verifier 

type Verifier struct {
	tuf.TufOptions
	// Artifact digest to check when verifier in addition to the signature
	ArtifactDigestAlgo string
	ArtifactDigest     string

	// ExpectedIssuer and ExpectedSan define the issuer and SAN to look for in
	// the fulcio cert. For a broader matching behavior, choose the *Regex
	// alternatives.
	// Verification will fail if thse are not set. To skip the identity check
	// set SkipIdentityCheck to true.
	ExpectedIssuer      string
	ExpectedIssuerRegex string
	ExpectedSan         string
	ExpectedSanRegex    string

	// SkipIdentityCheck makes the verifier skip the identity check. This
	// will ignore any setting in ExpectedIssuer ExpectedIssuerRegex
	// ExpectedSan or ExpectedSanRegex
	SkipIdentityCheck bool

	RequireCTlog     bool
	RequireTimestamp bool
	RequireTlog      bool
}

type VerifierOptFunc 

type VerifierOptFunc func(*Verifier) error

func WithArtifactData 

func WithArtifactData(data []byte) VerifierOptFunc

WithArtifactData hashes the artifact data to verify along the signature. This is required for message verifications

func WithExpectedIdentity 

func WithExpectedIdentity(issuer, san string) VerifierOptFunc

WithExpectedIdentity serts the ExpectedIssuer and ExptectedSan options and unsets the regex alternatives

func WithExpectedIdentityRegex added in v0.1.1 

func WithExpectedIdentityRegex(issuer, san string) VerifierOptFunc

WithExpectedIdentityRegex sets the ExpectedIssuerRegex and ExptectedSanRegex options and unsets the non-regex alternatives.

func WithSkipIdentityCheck 

func WithSkipIdentityCheck(yesno bool) VerifierOptFunc

WithSkipIdentityCheck instructs the verifier to not check the signature identities, only the signed payload will be checked.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.