v1

package

v0.4.1 Latest Latest Go to latest Published: Mar 15, 2026 License: Apache-2.0 Imports: 13 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/carabiner-dev/signer

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type Identity
- func NewIdentityFromSlug(slug string) (*Identity, error)
type IdentityKey
type IdentityRef
type IdentitySigstore
type SignatureVerification
type Verification

Constants ¶

View Source

const (
	SigstoreModeExact  string = "exact"
	SigstoreModeRegexp string = "regexp"
)

Variables ¶

View Source

var File_carabiner_signer_v1_identity_proto protoreflect.FileDescriptor

View Source

var File_carabiner_signer_v1_signer_proto protoreflect.FileDescriptor

Functions ¶

This section is empty.

Types ¶

type Identity ¶

type Identity struct {
	Id       string            `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	Sigstore *IdentitySigstore `protobuf:"bytes,2,opt,name=sigstore,proto3,oneof" json:"sigstore,omitempty"`
	Key      *IdentityKey      `protobuf:"bytes,3,opt,name=key,proto3,oneof" json:"key,omitempty"`
	Ref      *IdentityRef      `protobuf:"bytes,4,opt,name=ref,proto3,oneof" json:"ref,omitempty"`
	// contains filtered or unexported fields
}

Identity captures a signer identity. An identity can one of:

a) A sigstore identity
b) A key
c) A reference to an identity defined outside the policy

func NewIdentityFromSlug ¶ added in v0.3.4

func NewIdentityFromSlug(slug string) (*Identity, error)

NewIdentityFromSlug returns a new identity by parsing a slug string.

There are three kinds of identities supported: sigstore, key and reference.

func (*Identity) Descriptor deprecated

func (*Identity) Descriptor() ([]byte, []int)

Deprecated: Use Identity.ProtoReflect.Descriptor instead.

func (*Identity) GetId ¶

func (x *Identity) GetId() string

func (*Identity) GetKey ¶

func (x *Identity) GetKey() *IdentityKey

func (*Identity) GetRef ¶

func (x *Identity) GetRef() *IdentityRef

func (*Identity) GetSigstore ¶

func (x *Identity) GetSigstore() *IdentitySigstore

func (*Identity) ProtoMessage ¶

func (*Identity) ProtoMessage()

func (*Identity) ProtoReflect ¶

func (x *Identity) ProtoReflect() protoreflect.Message

func (*Identity) PublicKey ¶ added in v0.3.4

func (i *Identity) PublicKey() (key.PublicKeyProvider, error)

PublicKey returns the identity public key by parsing the data if set. It uses ParsePublicKeyProvider to preserve full key metadata (e.g. GPG key IDs and subkeys) required for PGP signature verification.

func (*Identity) Reset ¶

func (x *Identity) Reset()

func (*Identity) Slug ¶ added in v0.3.4

func (i *Identity) Slug() string

Slug returns a string representing the identity

func (*Identity) String ¶

func (x *Identity) String() string

func (*Identity) Validate ¶ added in v0.3.4

func (i *Identity) Validate() error

Validate checks the integrity of the identity and returns an error if fields are missing or invalid

type IdentityKey ¶

type IdentityKey struct {
	Id   string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`     // Key ID
	Type string `protobuf:"bytes,2,opt,name=type,proto3" json:"type,omitempty"` // Identity type
	Data string `protobuf:"bytes,3,opt,name=data,proto3" json:"data,omitempty"` // Public key data
	// contains filtered or unexported fields
}

IdentityKey registers the data of a key used to sign attestations.

func (*IdentityKey) Descriptor deprecated

func (*IdentityKey) Descriptor() ([]byte, []int)

Deprecated: Use IdentityKey.ProtoReflect.Descriptor instead.

func (*IdentityKey) GetData ¶

func (x *IdentityKey) GetData() string

func (*IdentityKey) GetId ¶

func (x *IdentityKey) GetId() string

func (*IdentityKey) GetType ¶

func (x *IdentityKey) GetType() string

func (*IdentityKey) Normalize ¶ added in v0.4.0

func (ik *IdentityKey) Normalize() error

Normalize populates empty Type and Id fields by parsing the key Data. This ensures identities defined with only key material (e.g. a GPG key block) have their Id and Type resolved before matching.

func (*IdentityKey) ProtoMessage ¶

func (*IdentityKey) ProtoMessage()

func (*IdentityKey) ProtoReflect ¶

func (x *IdentityKey) ProtoReflect() protoreflect.Message

func (*IdentityKey) Reset ¶

func (x *IdentityKey) Reset()

func (*IdentityKey) String ¶

func (x *IdentityKey) String() string

type IdentityRef ¶

type IdentityRef struct {
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// contains filtered or unexported fields
}

IdentityRef represents an identity defined outside of the policy. Most commonly these identities will be defined at the policy set level to have a common definition that can be reused by all policies in a set.

func (*IdentityRef) Descriptor deprecated

func (*IdentityRef) Descriptor() ([]byte, []int)

Deprecated: Use IdentityRef.ProtoReflect.Descriptor instead.

func (*IdentityRef) GetId ¶

func (x *IdentityRef) GetId() string

func (*IdentityRef) ProtoMessage ¶

func (*IdentityRef) ProtoMessage()

func (*IdentityRef) ProtoReflect ¶

func (x *IdentityRef) ProtoReflect() protoreflect.Message

func (*IdentityRef) Reset ¶

func (x *IdentityRef) Reset()

func (*IdentityRef) String ¶

func (x *IdentityRef) String() string

type IdentitySigstore ¶

type IdentitySigstore struct {
	Mode     *string `protobuf:"bytes,1,opt,name=mode,proto3,oneof" json:"mode,omitempty"`   // exact | regexp
	Issuer   string  `protobuf:"bytes,2,opt,name=issuer,proto3" json:"issuer,omitempty"`     // https://accounts.google.com
	Identity string  `protobuf:"bytes,3,opt,name=identity,proto3" json:"identity,omitempty"` //  "identity": "puerco@gmail.com"
	// contains filtered or unexported fields
}

IdentitySigstore represents the identity data in a Fulcio cert.

func (*IdentitySigstore) Descriptor deprecated

func (*IdentitySigstore) Descriptor() ([]byte, []int)

Deprecated: Use IdentitySigstore.ProtoReflect.Descriptor instead.

func (*IdentitySigstore) GetIdentity ¶

func (x *IdentitySigstore) GetIdentity() string

func (*IdentitySigstore) GetIssuer ¶

func (x *IdentitySigstore) GetIssuer() string

func (*IdentitySigstore) GetMode ¶

func (x *IdentitySigstore) GetMode() string

func (*IdentitySigstore) ProtoMessage ¶

func (*IdentitySigstore) ProtoMessage()

func (*IdentitySigstore) ProtoReflect ¶

func (x *IdentitySigstore) ProtoReflect() protoreflect.Message

func (*IdentitySigstore) Reset ¶

func (x *IdentitySigstore) Reset()

func (*IdentitySigstore) String ¶

func (x *IdentitySigstore) String() string

type SignatureVerification ¶

type SignatureVerification struct {

	// Date when the verification was performed
	Date *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=date,proto3" json:"date,omitempty"`
	// SignatureVerified is set to true when a hash's signature was verified
	// with at least one key or cert. Verified does not imply any identity check.
	Verified bool `protobuf:"varint,2,opt,name=verified,proto3" json:"verified,omitempty"`
	// Identities has a list of the identities (sigstore signers or keys)
	// that signed the object.
	Identities []*Identity `protobuf:"bytes,3,rep,name=Identities,proto3" json:"Identities,omitempty"`
	// Message is an optional message that can be populated when a verification
	// was performed successfully.
	Message string `protobuf:"bytes,4,opt,name=message,proto3" json:"message,omitempty"`
	// Error is a message explaining why verification failed.
	Error string `protobuf:"bytes,5,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

func (*SignatureVerification) Descriptor deprecated

func (*SignatureVerification) Descriptor() ([]byte, []int)

Deprecated: Use SignatureVerification.ProtoReflect.Descriptor instead.

func (*SignatureVerification) GetDate ¶

func (x *SignatureVerification) GetDate() *timestamppb.Timestamp

func (*SignatureVerification) GetError ¶

func (x *SignatureVerification) GetError() string

func (*SignatureVerification) GetIdentities ¶

func (x *SignatureVerification) GetIdentities() []*Identity

func (*SignatureVerification) GetMessage ¶

func (x *SignatureVerification) GetMessage() string

func (*SignatureVerification) GetVerified ¶

func (x *SignatureVerification) GetVerified() bool

func (*SignatureVerification) MatchesIdentity ¶ added in v0.3.4

func (sv *SignatureVerification) MatchesIdentity(id *Identity) bool

HasIdentity returns true if one of the verifiers matches the passed identity

func (*SignatureVerification) MatchesKeyIdentity ¶ added in v0.3.4

func (sv *SignatureVerification) MatchesKeyIdentity(keyIdentity *IdentityKey) bool

MatchesKeyIdentity returns true if one of the verified signatures was performed with the specified key. Matching is done using the key Id and Type fields. If the identity has key data but no Id/Type, Normalize is called to populate them before matching.

func (*SignatureVerification) MatchesSigstoreIdentity ¶ added in v0.3.4

func (sv *SignatureVerification) MatchesSigstoreIdentity(id *IdentitySigstore) bool

HasIdentity returns true if one of the verifiers matches the passed sigstore identity.

func (*SignatureVerification) ProtoMessage ¶

func (*SignatureVerification) ProtoMessage()

func (*SignatureVerification) ProtoReflect ¶

func (x *SignatureVerification) ProtoReflect() protoreflect.Message

func (*SignatureVerification) Reset ¶

func (x *SignatureVerification) Reset()

func (*SignatureVerification) String ¶

func (x *SignatureVerification) String() string

type Verification ¶

type Verification struct {
	Signature *SignatureVerification `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
	// contains filtered or unexported fields
}

Results of the signature verification process

func (*Verification) Descriptor deprecated

func (*Verification) Descriptor() ([]byte, []int)

Deprecated: Use Verification.ProtoReflect.Descriptor instead.

func (*Verification) Error ¶ added in v0.3.4

func (v *Verification) Error() string

Error implements the Go error interface when verification fails

func (*Verification) GetSignature ¶

func (x *Verification) GetSignature() *SignatureVerification

func (*Verification) GetVerified ¶ added in v0.3.4

func (v *Verification) GetVerified() bool

GetVerified returns true if verification passed

func (*Verification) MatchesIdentity ¶ added in v0.3.4

func (v *Verification) MatchesIdentity(rawID any) bool

MatchesIdentity returns true if one of the verified signatures matches the identity.

func (*Verification) ProtoMessage ¶

func (*Verification) ProtoMessage()

func (*Verification) ProtoReflect ¶

func (x *Verification) ProtoReflect() protoreflect.Message

func (*Verification) Reset ¶

func (x *Verification) Reset()

func (*Verification) String ¶

func (x *Verification) String() string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL