vsa

package
v0.8.39 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 15, 2025 License: Apache-2.0 Imports: 42 Imported by: 0

Documentation

Overview

attest.go

Index

Constants

View Source 
const (
	PredicateType = "https://conforma.dev/verification_summary/v1"
)

Predicate type URL

Variables

View Source 
var LoadPrivateKey = cosign.LoadPrivateKey

LoadPrivateKey is aliased to allow easy testing.

Functions

func AttestVSA added in v0.7.108 

func AttestVSA(ctx context.Context, attestor PredicateAttestor) (string, error)

AttestVSA handles VSA attestation and envelope writing for the target component.

func CompareVSAPolicyWithDetails added in v0.8.39 

func CompareVSAPolicyWithDetails(vsaPolicy ecapi.EnterpriseContractPolicySpec, suppliedPolicy ecapi.EnterpriseContractPolicySpec, effectiveTime time.Time, imageInfo *equivalence.ImageInfo) (bool, []equivalence.PolicyDifference, error)

CompareVSAPolicyWithDetails compares VSA policy with supplied policy and returns detailed differences

func ConvertYAMLToJSON added in v0.8.39 

func ConvertYAMLToJSON(data interface{}) interface{}

ConvertYAMLToJSON converts YAML interface{} types to proper types for JSON marshaling

func ExtractDigestFromImageRef added in v0.8.39 

func ExtractDigestFromImageRef(imageRef string) (string, error)

ExtractDigestFromImageRef extracts the digest from an image reference

func ExtractImageDigest added in v0.8.39 

func ExtractImageDigest(identifier string) string

ExtractImageDigest extracts image digest from identifier

func ExtractPolicyFromVSA added in v0.8.39 

func ExtractPolicyFromVSA(predicate *Predicate) (ecapi.EnterpriseContractPolicySpec, error)

ExtractPolicyFromVSA extracts the policy from VSA predicate

func FormatPolicyDifferences added in v0.8.39 

func FormatPolicyDifferences(differences []equivalence.PolicyDifference) string

FormatPolicyDifferences formats policy differences using unified diff format

func GenerateAndWritePredicate added in v0.8.25 

func GenerateAndWritePredicate(ctx context.Context, generator *Generator, writer *Writer) (string, error)

GenerateAndWritePredicate generates a Predicate and writes it to a file, returning the written path.

func GenerateAndWriteSnapshotPredicate added in v0.8.25 

func GenerateAndWriteSnapshotPredicate(ctx context.Context, generator *applicationsnapshot.SnapshotPredicateGenerator, writer *applicationsnapshot.SnapshotPredicateWriter) (string, error)

GenerateAndWriteSnapshotPredicate generates a snapshot Predicate and writes it to a file, returning the written path.

func IsImageReference added in v0.8.39 

func IsImageReference(identifier string) bool

IsImageReference checks if the identifier is an image reference

func IsVSAExpired added in v0.8.18 

func IsVSAExpired(vsaTimestamp time.Time, expirationThreshold time.Duration) bool

IsVSAExpired checks if a VSA is expired based on the timestamp and threshold

func IsValidVSAIdentifier added in v0.8.39 

func IsValidVSAIdentifier(identifier string) bool

IsValidVSAIdentifier validates VSA identifier format

func ParseEffectiveTime added in v0.8.39 

func ParseEffectiveTime(effectiveTime string) (time.Time, error)

ParseEffectiveTime parses the effective time string

func ParsePolicySpec added in v0.8.39 

func ParsePolicySpec(policyConfig string) (ecapi.EnterpriseContractPolicySpec, error)

ParsePolicySpec parses a policy configuration string to extract the EnterpriseContractPolicySpec

func ParseVSAExpirationDuration added in v0.8.39 

func ParseVSAExpirationDuration(s string) (time.Duration, error)

ParseVSAExpirationDuration parses a duration string with support for h, d, w, m suffixes

func UploadVSAEnvelope added in v0.7.148 

func UploadVSAEnvelope(ctx context.Context, envelopePath string, storageConfigs []string, signer *Signer) error

UploadVSAEnvelope uploads a VSA envelope to the configured storage backends

Types

type Attestor added in v0.7.108 

type Attestor struct {
	PredicatePath string  // path to the raw VSA (predicate) JSON
	PredicateType string  // e.g. "https://enterprisecontract.dev/attestations/vsa/v1" // TODO: make this configurable
	Digest        string  // sha256:abcd…  (as returned by `skopeo inspect --format {{.Digest}}`)
	Repo          string  // "quay.io/acme/widget" (hostname/namespace/repo)
	Signer        *Signer // Signer is the signer used to sign the VSA
}

func NewAttestor added in v0.7.108 

func NewAttestor(predicatePath, repo, digest string, signer *Signer) (*Attestor, error)

NewAttestor creates an Attestor with sensible defaults

func (Attestor) AttestPredicate added in v0.7.108 

func (a Attestor) AttestPredicate(ctx context.Context) ([]byte, error)

AttestPredicate builds an in‑toto Statement around the predicate and returns the fully‑signed **DSSE envelope** (identical to cosign's --no-upload output). Nothing is pushed to a registry or the TLog.

func (Attestor) TargetDigest added in v0.7.117 

func (a Attestor) TargetDigest() string

func (Attestor) WriteEnvelope added in v0.7.108 

func (a Attestor) WriteEnvelope(data []byte) (string, error)

WriteEnvelope is an optional convenience that mirrors cosign's --output‑signature flag; it emits <predicate>.intoto.jsonl next to the file.

type ComponentDetail added in v0.8.25 

type ComponentDetail struct {
	Name       string `json:"Name"`
	ImageRef   string `json:"ImageRef"`
	Violations int    `json:"Violations"`
	Warnings   int    `json:"Warnings"`
	Successes  int    `json:"Successes"`
}

ComponentDetail represents detailed information about a component in the summary

type ComponentResult added in v0.8.39 

type ComponentResult struct {
	ComponentName string
	ImageRef      string
	Result        *ValidationResult
	Error         error
}

ComponentResult represents the validation result for a snapshot component

type ComponentSummary added in v0.8.25 

type ComponentSummary struct {
	Name           string      `json:"name"`
	ContainerImage string      `json:"containerImage"`
	Source         interface{} `json:"source"`
}

ComponentSummary represents the summary information for a single component

type FileVSARetriever added in v0.8.23 

type FileVSARetriever struct {
	// contains filtered or unexported fields
}

FileVSARetriever implements VSARetriever using filesystem storage

func NewFileVSARetriever added in v0.8.23 

func NewFileVSARetriever(fs afero.Fs, basePath string) *FileVSARetriever

NewFileVSARetriever creates a new filesystem-based VSA retriever

func NewFileVSARetrieverWithOSFs added in v0.8.23 

func NewFileVSARetrieverWithOSFs(basePath string) *FileVSARetriever

NewFileVSARetrieverWithOSFs creates a new filesystem-based VSA retriever using the OS filesystem

func NewFileVSARetrieverWithOptions added in v0.8.23 

func NewFileVSARetrieverWithOptions(opts FileVSARetrieverOptions) *FileVSARetriever

NewFileVSARetrieverWithOptions creates a new filesystem-based VSA retriever with options

func (*FileVSARetriever) RetrieveVSA added in v0.8.23 

func (f *FileVSARetriever) RetrieveVSA(ctx context.Context, identifier string) (*ssldsse.Envelope, error)

RetrieveVSA retrieves VSA data as a DSSE envelope from a file path The identifier can be: - A direct file path (e.g., "/path/to/vsa.json") - A relative path that will be resolved against basePath - A filename that will be looked up in basePath

type FileVSARetrieverOptions added in v0.8.23 

type FileVSARetrieverOptions struct {
	BasePath string
	FS       afero.Fs
}

FileVSARetrieverOptions configures filesystem-based VSA retrieval behavior

type Generator 

type Generator struct {
	Report       applicationsnapshot.Report
	Component    applicationsnapshot.Component
	PolicySource string
	Policy       PublicKeyProvider
}

Generator handles VSA predicate generation

func NewGenerator 

func NewGenerator(report applicationsnapshot.Report, comp applicationsnapshot.Component, policySource string, policy PublicKeyProvider) *Generator

NewGenerator creates a new VSA predicate generator

func (*Generator) GeneratePredicate 

func (g *Generator) GeneratePredicate(ctx context.Context) (*Predicate, error)

GeneratePredicate creates a Predicate for a validated image/component.

type IdentifierType added in v0.8.39 

type IdentifierType int

IdentifierType represents the type of VSA identifier 

const (
	// IdentifierFile represents a local file path (absolute, relative, or files with extensions)
	IdentifierFile IdentifierType = iota
	// IdentifierImageDigest represents a container image digest (e.g., sha256:abc123...)
	IdentifierImageDigest
	// IdentifierImageReference represents a container image reference (e.g., nginx:latest, registry.io/repo:tag)
	IdentifierImageReference
)

func DetectIdentifierType added in v0.8.39 

func DetectIdentifierType(identifier string) IdentifierType

DetectIdentifierType detects the type of VSA identifier

type InTotoStatement added in v0.8.39 

type InTotoStatement struct {
	Type          string    `json:"_type"`
	PredicateType string    `json:"predicateType"`
	Subject       []Subject `json:"subject"`
	Predicate     Predicate `json:"predicate"`
}

InTotoStatement represents an in-toto statement structure

type LocalBackend added in v0.7.148 

type LocalBackend struct {
	// contains filtered or unexported fields
}

LocalBackend implements VSA storage to local filesystem

func (*LocalBackend) Name added in v0.7.148 

func (l *LocalBackend) Name() string

Name returns the backend name

func (*LocalBackend) Upload added in v0.7.148 

func (l *LocalBackend) Upload(ctx context.Context, envelopeContent []byte) error

Upload saves the VSA envelope to a local file

type Predicate 

type Predicate struct {
	Policy       ecapi.EnterpriseContractPolicySpec `json:"policy"`
	PolicySource string                             `json:"policySource"`
	ImageRefs    []string                           `json:"imageRefs"`
	Timestamp    string                             `json:"timestamp"`
	Status       string                             `json:"status"`
	Verifier     string                             `json:"verifier"`
	Summary      VSASummary                         `json:"summary"`
	PublicKey    string                             `json:"publicKey"`
}

func ParseVSAContent added in v0.8.39 

func ParseVSAContent(envelope *ssldsse.Envelope) (*Predicate, error)

ParseVSAContent parses VSA content from a DSSE envelope and returns a Predicate The function handles different payload formats: 1. In-toto Statement wrapped in DSSE envelope 2. Raw Predicate directly in DSSE payload

type PredicateAttestor added in v0.7.108 

type PredicateAttestor interface {
	AttestPredicate(ctx context.Context) ([]byte, error)
	WriteEnvelope(data []byte) (string, error)
	TargetDigest() string
}

PredicateAttestor interface for attesting VSA predicates and writing envelopes

type PredicateGenerator added in v0.7.108 

type PredicateGenerator[T any] interface {
	GeneratePredicate(ctx context.Context) (T, error)
}

PredicateGenerator interface for generating VSA predicates

type PredicateWriter added in v0.7.108 

type PredicateWriter[T any] interface {
	WritePredicate(pred T) (string, error)
}

PredicateWriter interface for writing VSA predicates to files

type PublicKeyProvider added in v0.8.25 

type PublicKeyProvider interface {
	PublicKeyPEM() ([]byte, error)
}

PublicKeyProvider defines the interface for accessing public key information

type RekorBackend added in v0.7.148 

type RekorBackend struct {
	// contains filtered or unexported fields
}

RekorBackend implements VSA storage in Rekor transparency log using single in-toto 0.0.2 entries

func (*RekorBackend) Name added in v0.7.148 

func (r *RekorBackend) Name() string

Name returns the backend name

func (*RekorBackend) Upload added in v0.7.148 

func (r *RekorBackend) Upload(ctx context.Context, envelopeContent []byte) error

Upload is not supported for Rekor backend - use UploadWithSigner instead

func (*RekorBackend) UploadWithSigner added in v0.7.148 

func (r *RekorBackend) UploadWithSigner(ctx context.Context, envelopeContent []byte, signer *Signer) (string, error)

UploadWithSigner uploads a VSA envelope to the Rekor transparency log with access to the signer for public key extraction

type RekorClient added in v0.7.134 

type RekorClient interface {
	SearchIndex(ctx context.Context, query *models.SearchIndex) ([]models.LogEntryAnon, error)
	SearchLogQuery(ctx context.Context, query *models.SearchLogQuery) ([]models.LogEntryAnon, error)
	GetLogEntryByIndex(ctx context.Context, index int64) (*models.LogEntryAnon, error)
	GetLogEntryByUUID(ctx context.Context, uuid string) (*models.LogEntryAnon, error)
}

RekorClient defines the interface for Rekor client operations This allows for easy mocking in tests

type RekorVSARetriever added in v0.7.134 

type RekorVSARetriever struct {
	// contains filtered or unexported fields
}

RekorVSARetriever implements VSARetriever using Rekor API

func NewRekorVSARetriever added in v0.7.134 

func NewRekorVSARetriever(opts RetrievalOptions) (*RekorVSARetriever, error)

NewRekorVSARetriever creates a new Rekor-based VSA retriever

func NewRekorVSARetrieverWithClient added in v0.7.134 

func NewRekorVSARetrieverWithClient(client RekorClient, opts RetrievalOptions) *RekorVSARetriever

NewRekorVSARetrieverWithClient creates a new Rekor-based VSA retriever with a custom client This is primarily for testing purposes

func (*RekorVSARetriever) RetrieveVSA added in v0.7.134 

func (r *RekorVSARetriever) RetrieveVSA(ctx context.Context, identifier string) (*ssldsse.Envelope, error)

RetrieveVSA retrieves the latest VSA data as a DSSE envelope for a given identifier The identifier can be an image digest, image reference with digest, or other string This is the main method used by validation functions to get VSA data for signature verification

type RetrievalOptions added in v0.7.134 

type RetrievalOptions struct {
	URL     string
	Timeout time.Duration
}

RetrievalOptions configures VSA retrieval behavior

func DefaultRetrievalOptions added in v0.7.134 

func DefaultRetrievalOptions() RetrievalOptions

DefaultRetrievalOptions returns default options for VSA retrieval

type Service added in v0.7.117 

type Service struct {
	// contains filtered or unexported fields
}

Service encapsulates all VSA processing logic for both components and snapshots

func NewServiceWithFS added in v0.7.117 

func NewServiceWithFS(signer *Signer, fs afero.Fs, policySource string, policy PublicKeyProvider) *Service

NewServiceWithFS creates a new VSA service with the given signer and filesystem

func (*Service) ProcessAllVSAs added in v0.7.117 

func (s *Service) ProcessAllVSAs(ctx context.Context, report applicationsnapshot.Report, getGitURL func(applicationsnapshot.Component) string, getDigest func(applicationsnapshot.Component) (string, error)) (*VSAProcessingResult, error)

ProcessAllVSAs processes VSAs for all components and the snapshot, returning envelope paths

func (*Service) ProcessComponentVSA added in v0.7.117 

func (s *Service) ProcessComponentVSA(ctx context.Context, report applicationsnapshot.Report, comp applicationsnapshot.Component, gitURL, digest string) (string, error)

ProcessComponentVSA processes VSA generation, writing, and attestation for a single component

func (*Service) ProcessSnapshotVSA added in v0.7.117 

func (s *Service) ProcessSnapshotVSA(ctx context.Context, report applicationsnapshot.Report) (string, error)

ProcessSnapshotVSA processes VSA generation, writing, and attestation for the application snapshot

type Signer 

type Signer struct {
	KeyPath        string
	FS             afero.Fs
	WrapSigner     signature.Signer
	SignerVerifier signature.SignerVerifier // Store the original signer for public key access
}

func NewSigner 

func NewSigner(ctx context.Context, keyRef string, fs afero.Fs) (*Signer, error)

NewSigner creates a new signer that can resolve keys from both files and Kubernetes secrets

type SignerAwareUploader added in v0.7.148 

type SignerAwareUploader interface {
	StorageBackend
	UploadWithSigner(ctx context.Context, envelopeContent []byte, signer *Signer) (string, error)
}

SignerAwareUploader extends StorageBackend for backends that need access to the signer (e.g., Rekor backend needs the public key for transparency log upload)

type StorageBackend added in v0.7.148 

type StorageBackend interface {
	Name() string
	Upload(ctx context.Context, envelopeContent []byte) error
}

StorageBackend defines the interface for VSA storage implementations

func CreateStorageBackend added in v0.7.148 

func CreateStorageBackend(config *StorageConfig) (StorageBackend, error)

CreateStorageBackend creates the appropriate storage backend based on config

func NewLocalBackend added in v0.7.148 

func NewLocalBackend(config *StorageConfig) (StorageBackend, error)

NewLocalBackend creates a new local file storage backend

func NewRekorBackend added in v0.7.148 

func NewRekorBackend(config *StorageConfig) (StorageBackend, error)

NewRekorBackend creates a new Rekor storage backend

type StorageConfig added in v0.7.148 

type StorageConfig struct {
	Backend    string            // rekor, local (maybe others in future)
	BaseURL    string            // Primary URL
	Parameters map[string]string // Additional parameters
}

StorageConfig represents parsed storage configuration

func ParseStorageFlag added in v0.7.148 

func ParseStorageFlag(storageFlag string) (*StorageConfig, error)

ParseStorageFlag parses the --vsa-upload flag format Supported formats:

type Subject added in v0.8.39 

type Subject struct {
	Name   string            `json:"name"`
	Digest map[string]string `json:"digest"`
}

Subject represents a subject in an in-toto statement

type VSAChecker added in v0.8.18 

type VSAChecker struct {
	// contains filtered or unexported fields
}

VSAChecker handles checking for existing VSAs using any VSARetriever

func CreateVSACheckerFromUploadFlags added in v0.8.18 

func CreateVSACheckerFromUploadFlags(vsaUpload []string) *VSAChecker

CreateVSACheckerFromUploadFlags creates a VSA checker based on available upload flags Returns nil if no suitable retriever can be created

func NewVSAChecker added in v0.8.18 

func NewVSAChecker(retriever VSARetriever) *VSAChecker

NewVSAChecker creates a new VSA checker with a VSARetriever

func (*VSAChecker) CheckExistingVSA added in v0.8.18 

func (c *VSAChecker) CheckExistingVSA(ctx context.Context, imageRef string, expirationThreshold time.Duration) (*VSALookupResult, error)

CheckExistingVSA looks up existing VSAs for an image and determines if they're valid/expired This method is kept for backward compatibility

func (*VSAChecker) CheckExistingVSAWithVerification added in v0.8.39 

func (c *VSAChecker) CheckExistingVSAWithVerification(ctx context.Context, imageRef string, expirationThreshold time.Duration, verifySignature bool, publicKeyPath string) (*VSALookupResult, error)

CheckExistingVSAWithVerification looks up existing VSAs for an image and performs all checks including optional signature verification

func (*VSAChecker) IsValidVSA added in v0.8.18 

func (c *VSAChecker) IsValidVSA(ctx context.Context, imageRef string, expirationThreshold time.Duration) (bool, error)

IsValidVSA checks if a VSA exists and is not expired for the given image Returns true if validation should be skipped, false if validation should proceed

type VSALookupResult added in v0.8.18 

type VSALookupResult struct {
	Found             bool
	Expired           bool
	VSA               *Predicate
	Timestamp         time.Time
	Envelope          *ssldsse.Envelope // Store the envelope for signature verification
	SignatureVerified bool              // Whether signature verification was performed and succeeded
}

VSALookupResult represents the result of looking up an existing VSA

type VSAProcessingResult added in v0.7.148 

type VSAProcessingResult struct {
	ComponentEnvelopes map[string]string // imageRef -> envelopePath
	SnapshotEnvelope   string
}

VSAProcessingResult contains the results of VSA processing

type VSARetriever added in v0.7.134 

type VSARetriever interface {
	// RetrieveVSA retrieves VSA data as a DSSE envelope for a given identifier
	// The identifier can be a digest, image reference, file path, or any other string
	// that the specific retriever implementation understands
	RetrieveVSA(ctx context.Context, identifier string) (*ssldsse.Envelope, error)
}

VSARetriever defines the interface for retrieving VSA records from various sources

func CreateRetrieverFromUploadFlags added in v0.8.18 

func CreateRetrieverFromUploadFlags(vsaUpload []string) VSARetriever

CreateRetrieverFromUploadFlags creates a VSA retriever based on upload flags Currently supports Rekor, but can be extended for other retrievers

func CreateVSARetriever added in v0.8.39 

func CreateVSARetriever(vsaRetrieval []string, vsaIdentifier string, images string) (VSARetriever, error)

CreateVSARetriever creates the VSA retriever based on flags and identifier type

type VSASummary added in v0.8.25 

type VSASummary struct {
	Violations int               `json:"violations"`
	Warnings   int               `json:"warnings"`
	Successes  int               `json:"successes"`
	Components []ComponentDetail `json:"Components"`
	Component  ComponentSummary  `json:"component"`
}

VSASummary represents the summary information for a VSA predicate

type ValidationData added in v0.8.39 

type ValidationData struct {
	Retriever                   VSARetriever
	VSAExpiration               time.Duration
	IgnoreSignatureVerification bool
	PublicKeyPath               string
	PolicySpec                  ecapi.EnterpriseContractPolicySpec
	EffectiveTime               string
}

ValidationData represents the data needed for VSA validation

type ValidationResult added in v0.8.39 

type ValidationResult struct {
	Passed            bool   `json:"passed"`
	Message           string `json:"message,omitempty"`
	SignatureVerified bool   `json:"signature_verified,omitempty"`
}

ValidationResult represents the result of VSA validation

func ValidateVSAWithPolicyComparison added in v0.8.39 

func ValidateVSAWithPolicyComparison(ctx context.Context, identifier string, data *ValidationData) (*ValidationResult, error)

ValidateVSAWithPolicyComparison validates a VSA by comparing its policy with the supplied policy

type Writer 

type Writer struct {
	FS            afero.Fs    // defaults to the package-level FS or afero.NewOsFs()
	TempDirPrefix string      // defaults to "vsa-"
	FilePerm      os.FileMode // defaults to 0600
}

Writer handles VSA file writing

func NewWriter 

func NewWriter() *Writer

NewWriter creates a new VSA file writer

func (*Writer) WritePredicate added in v0.7.108 

func (w *Writer) WritePredicate(predicate *Predicate) (string, error)

WritePredicate writes the Predicate as a JSON file to a temp directory and returns the path.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.