Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var DefaultSign = Sign{
PayloadType: "application/octet-stream",
}
var DefaultSigner = Signer{ SigstoreRootsData: sigstore.DefaultRoots, }
var DefaultSigstore = Sigstore{ Instance: sigstore.Instance{ Timestamp: true, AppendToRekor: true, TufOptions: tuf.TufOptions{ TufRootURL: "https://tuf-repo-cdn.sigstore.dev", }, HideOIDCOptions: true, OIDCConfig: sigstore.OIDCConfig{ RedirectURL: "http://localhost:0/auth/callback", ClientID: "sigstore", }, VerifierConfig: sigstore.VerifierConfig{ RequireCTlog: true, RequireTlog: true, RequireObserverTimestamp: true, }, }, }
var DefaultVerification = Verification{}
var DefaultVerifier = Verifier{ Verification: DefaultVerification, SigstoreRootsData: sigstore.DefaultRoots, }
DefaultVerifier default options to configure the verifier
Functions ¶
This section is empty.
Types ¶
type BundleVerifier ¶ added in v0.3.0
type BundleVerifier struct {
// RootsFile path to roots file
RootsFile string
}
type KeyVerification ¶ added in v0.3.0
KeyVerification options
type Sign ¶
type Sign struct {
// PayloadType is the payload type to be declared in DSSE envelopes
PayloadType string
// PrivateKeys for DSSE envelope signing. These will be honored later
// to reuse in bundle signing
Keys []key.PrivateKeyProvider
}
Sign options (not to be confused with signer options) are options that control each signing operation behavior.
type SignOptFn ¶
func WithKey ¶ added in v0.2.0
func WithKey(keys ...key.PrivateKeyProvider) SignOptFn
WithKey adds one or more key providers that will be used to sign
func WithPayloadType ¶
WithPayloadType sets the DSSE payload type
type Signer ¶
type Signer struct {
Sigstore
Token *oauthflow.OIDCIDToken
SigstoreRootsData []byte
// contains filtered or unexported fields
}
Signer
func (*Signer) ParseRoots ¶ added in v0.3.2
ParseRoots parses the root information and assigns the instance data in the sigstore options
type Sigstore ¶ added in v0.3.0
Sigstore options to control how signer handles signing with sigstore
func (*Sigstore) AddFlags ¶ added in v0.3.0
AddFlags adds flags to a spf13/cobra command exposing the sigstore signing options. Not all options are yet exposed as CLI flags.
func (*Sigstore) ValidateOIDC ¶ added in v0.3.1
Ensure the options have the required OIDC fields
func (*Sigstore) ValidateSigner ¶ added in v0.3.1
ValidateSigner check the options required to sign
func (*Sigstore) ValidateTimestamps ¶ added in v0.3.1
ValidateTimestamps
func (*Sigstore) ValidateVerifier ¶ added in v0.3.1
type SigstoreVerification ¶ added in v0.3.0
type SigstoreVerification struct {
// ExpectedIssuer and ExpectedSan define the issuer and SAN to look for in
// the fulcio cert. For a broader matching behavior, choose the *Regex
// alternatives.
//
// Verification will fail if thse are not set. To skip the identity check
// set SkipIdentityCheck to true.
ExpectedIssuer string
ExpectedIssuerRegex string
ExpectedSan string
ExpectedSanRegex string
// SkipIdentityCheck makes the verifier skip the identity check. This
// will ignore any setting in ExpectedIssuer ExpectedIssuerRegex
// ExpectedSan or ExpectedSanRegex
SkipIdentityCheck bool
// Artifact digest to check when verifier in addition to the signature
ArtifactDigestAlgo string
ArtifactDigest string
}
SigstoreVerification configures how we verify signatures using a particular instance.
type Verification ¶ added in v0.3.0
type Verification struct {
SigstoreVerification
KeyVerification
}
Verification options are generic options that all the Verify* functions take
type VerificationOptFunc ¶ added in v0.3.0
type VerificationOptFunc func(*Verification) error
func WithArtifactData ¶
func WithArtifactData(data []byte) VerificationOptFunc
WithArtifactData hashes the artifact data to verify along the signature. This is required for message verifications
func WithExpectedIdentity ¶
func WithExpectedIdentity(issuer, san string) VerificationOptFunc
WithExpectedIdentity serts the ExpectedIssuer and ExptectedSan options and unsets the regex alternatives
func WithExpectedIdentityRegex ¶ added in v0.1.1
func WithExpectedIdentityRegex(issuer, san string) VerificationOptFunc
WithExpectedIdentityRegex sets the ExpectedIssuerRegex and ExptectedSanRegex options and unsets the non-regex alternatives.
func WithSkipIdentityCheck ¶
func WithSkipIdentityCheck(yesno bool) VerificationOptFunc
WithSkipIdentityCheck instructs the verifier to not check the signature identities, only the signed payload will be checked.
type Verifier ¶
type Verifier struct {
// The verifier options embed a set of verification options. These are
// treated as defaults when calling the sigstore/dsse verifiers
Verification
// SigstoreRootsPath is the path to a sigstore roots file
SigstoreRootsPath string
// SigstoreRootsData holds raw json with data about the configured roots
SigstoreRootsData []byte
}
Verifier options
type VerifierOptFunc ¶
type VerifierOptFunc func(*Verifier)
func WithSigstoreRoots ¶ added in v0.3.0
func WithSigstoreRoots(raw []byte) VerifierOptFunc
WithSigstoreRootsData sets the sigstore roots data from raw json
func WithSigstoreRootsPath ¶ added in v0.3.0
func WithSigstoreRootsPath(path string) VerifierOptFunc
WithSigstoreRootsPath sets the path to the sigstore roots configuration file
Source Files