Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var DefaultSign = Sign{
PayloadType: "application/octet-stream",
}
View Source
var DefaultSigner = Signer{ TufOptions: tuf.TufOptions{ TufRootURL: tuf.SigstorePublicGoodBaseURL, TufRootPath: "", Fetcher: tuf.Defaultfetcher(), }, Timestamp: true, AppendToRekor: true, OidcRedirectURL: "http://localhost:0/auth/callback", OidcIssuer: "https://oauth2.sigstore.dev/auth", OidcClientID: "sigstore", }
View Source
var DefaultVerifier = Verifier{ TufOptions: tuf.TufOptions{ TufRootURL: tuf.SigstorePublicGoodBaseURL, TufRootPath: "", Fetcher: tuf.Defaultfetcher(), }, ArtifactDigestAlgo: "sha256", RequireCTlog: true, RequireTimestamp: true, RequireTlog: true, }
Functions ¶
This section is empty.
Types ¶
type Sign ¶
type Sign struct {
// PayloadType is the payload type to be declared in DSSE envelopes
PayloadType string
// PrivateKeys for DSSE envelope signing. These will be honored later
// to reuse in bundle signing
Keys []key.PrivateKeyProvider
}
Sign options (not to be confused with signer options) are options that control each signing operation behavior.
type SignOptFn ¶
func WithKey ¶ added in v0.2.0
func WithKey(keys ...key.PrivateKeyProvider) SignOptFn
WithKey adds one or more key providers that will be used to sign
func WithPayloadType ¶
WithPayloadType sets the DSSE payload type
type Signer ¶
type Signer struct {
tuf.TufOptions
Token *oauthflow.OIDCIDToken
Timestamp bool
AppendToRekor bool
DisableSTS bool
// OidcRedirectURL defines the URL that the browser will redirect to.
// if the port is set to 0, bind will randomize it to a high number
// port before starting the OIDC flow.
OidcRedirectURL string
OidcIssuer string
OidcClientID string
OidcClientSecret string
}
Signer
type Verifier ¶
type Verifier struct {
tuf.TufOptions
// Artifact digest to check when verifier in addition to the signature
ArtifactDigestAlgo string
ArtifactDigest string
// ExpectedIssuer and ExpectedSan define the issuer and SAN to look for in
// the fulcio cert. For a broader matching behavior, choose the *Regex
// alternatives.
// Verification will fail if thse are not set. To skip the identity check
// set SkipIdentityCheck to true.
ExpectedIssuer string
ExpectedIssuerRegex string
ExpectedSan string
ExpectedSanRegex string
// SkipIdentityCheck makes the verifier skip the identity check. This
// will ignore any setting in ExpectedIssuer ExpectedIssuerRegex
// ExpectedSan or ExpectedSanRegex
SkipIdentityCheck bool
RequireCTlog bool
RequireTimestamp bool
RequireTlog bool
// Public keys to verify DSSE envelopes
PubKeys []crypto.PublicKey
}
type VerifierOptFunc ¶
func WithArtifactData ¶
func WithArtifactData(data []byte) VerifierOptFunc
WithArtifactData hashes the artifact data to verify along the signature. This is required for message verifications
func WithExpectedIdentity ¶
func WithExpectedIdentity(issuer, san string) VerifierOptFunc
WithExpectedIdentity serts the ExpectedIssuer and ExptectedSan options and unsets the regex alternatives
func WithExpectedIdentityRegex ¶ added in v0.1.1
func WithExpectedIdentityRegex(issuer, san string) VerifierOptFunc
WithExpectedIdentityRegex sets the ExpectedIssuerRegex and ExptectedSanRegex options and unsets the non-regex alternatives.
func WithSkipIdentityCheck ¶
func WithSkipIdentityCheck(yesno bool) VerifierOptFunc
WithSkipIdentityCheck instructs the verifier to not check the signature identities, only the signed payload will be checked.
Source Files
Click to show internal directories.
Click to hide internal directories.