attestation

package

v0.6.8 Latest Latest Go to latest Published: Oct 23, 2024 License: Apache-2.0 Imports: 34 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/docker/attest

Links

Open Source Insights

README ¶

attestations

This package is for components that deal with the creation, storage, and retrieval of signed attestions using OCI.

For more generic OCI components see the oci package.

Documentation ¶

Index ¶

Constants
func DSSEMediaType(predicateType string) (string, error)
func ToVSAResourceURI(sub intoto.Subject) (string, error)
func UpdateIndexImages(idx v1.ImageIndex, manifest []*Manifest, ...) (v1.ImageIndex, error)
func ValidPayloadType(payloadType string) bool
func VerifyDSSE(ctx context.Context, verifier Verifier, env *Envelope, opts *VerifyOptions) ([]byte, error)
func WithLogVerifierFactory(factory LogVerifierFactory) func(*verifier)
func WithReferrersRepo(repo string) func(*ReferrersResolver) error
func WithReplacedLayers(replaceLayers bool) func(*ManifestImageOptions) error
func WithSignatureVerifierFactory(factory SignatureVerifierFactory) func(*verifier)
func WithTUFDownloader(tufDownloader tuf.Downloader) func(*verifier)
func WithoutSubject(skipSubject bool) func(*ManifestImageOptions) error
type AnnotatedStatement
- func ExtractAnnotatedStatements(path string, mediaType string) ([]*AnnotatedStatement, error)
- func ExtractStatementsFromIndex(idx v1.ImageIndex, mediaType string) ([]*AnnotatedStatement, error)
type DockerDSSEExtension
type Envelope
- func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, ...) (*Envelope, error)
type EnvelopeReference
- func ExtractEnvelopes(manifest *Manifest, predicateType string) ([]*EnvelopeReference, error)
type Extension
type KeyMetadata
- func (km *KeyMetadata) ParsedKey() (crypto.PublicKey, error)
type Keys
type KeysMap
type Layer
type LayoutResolver
- func NewOCILayoutResolver(src *oci.ImageSpec) (*LayoutResolver, error)
- func (r *LayoutResolver) Attestations(_ context.Context, predicateType string) ([]*EnvelopeReference, error)
- func (r *LayoutResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error)
- func (r *LayoutResolver) ImageName(_ context.Context) (string, error)
- func (r *LayoutResolver) ImagePlatform(_ context.Context) (*v1.Platform, error)
type LogVerifierFactory
type Manifest
- func FetchManifest(ctx context.Context, image string, platform *v1.Platform) (*Manifest, error)
- func ManifestsFromIndex(index v1.ImageIndex) ([]*Manifest, error)
- func NewManifest(subject *v1.Descriptor) (*Manifest, error)
- func (manifest *Manifest) Add(ctx context.Context, signer dsse.SignerVerifier, statement *intoto.Statement, ...) error
- func (manifest *Manifest) BuildImage(options ...func(*ManifestImageOptions) error) (v1.Image, error)
- func (manifest *Manifest) BuildReferringArtifacts() ([]v1.Image, error)
type ManifestImageOptions
type MockRegistryResolver
- func (r *MockRegistryResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error)
- func (r *MockRegistryResolver) ImageName(_ context.Context) (string, error)
type MockResolver
- func (r MockResolver) Attestations(_ context.Context, _ string) ([]*EnvelopeReference, error)
- func (r MockResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error)
- func (r MockResolver) ImageName(_ context.Context) (string, error)
- func (r MockResolver) ImagePlatform(_ context.Context) (*v1.Platform, error)
type Options
type ReferrersResolver
- func NewReferrersResolver(src oci.ImageDetailsResolver, options ...func(*ReferrersResolver) error) (*ReferrersResolver, error)
- func (r *ReferrersResolver) Attestations(ctx context.Context, predicateType string) ([]*EnvelopeReference, error)
type RegistryResolver
- func NewRegistryResolver(src *oci.RegistryImageDetailsResolver) (*RegistryResolver, error)
- func (r *RegistryResolver) Attestations(ctx context.Context, predicateType string) ([]*EnvelopeReference, error)
type Resolver
type ResourceDescriptor
type Signature
type SignatureVerifierFactory
type SigningOptions
type TransparencyLogKind
type VSAPolicy
type VSAPredicate
type VSAVerifier
type Verifier
- func NewVerfier(options ...func(*verifier)) (Verifier, error)
type VerifierVersion
- func GetVerifierVersion(fetcher version.Fetcher) (VerifierVersion, error)
type VerifyOptions

Examples ¶

Manifest

Constants ¶

View Source

const (
	DockerReferenceType           = "vnd.docker.reference.type"
	AttestationManifestType       = "attestation-manifest"
	InTotoPredicateType           = "in-toto.io/predicate-type"
	DockerReferenceDigest         = "vnd.docker.reference.digest"
	DockerDSSEExtKind             = "application/vnd.docker.attestation-verification.v1+json"
	OCIDescriptorDSSEMediaType    = ociv1.MediaTypeDescriptor + "+dsse"
	InTotoReferenceLifecycleStage = "vnd.docker.lifecycle-stage"
	LifecycleStageExperimental    = "experimental"
)

View Source

const (
	RekorTransparencyLogKind = "rekor"
)

View Source

const (
	VSAPredicateType = "https://slsa.dev/verification_summary/v1"
)

Variables ¶

This section is empty.

Functions ¶

func DSSEMediaType ¶

func DSSEMediaType(predicateType string) (string, error)

func ToVSAResourceURI ¶

func ToVSAResourceURI(sub intoto.Subject) (string, error)

func UpdateIndexImages ¶

func UpdateIndexImages(idx v1.ImageIndex, manifest []*Manifest, options ...func(*ManifestImageOptions) error) (v1.ImageIndex, error)

func ValidPayloadType ¶

func ValidPayloadType(payloadType string) bool

func VerifyDSSE ¶

func VerifyDSSE(ctx context.Context, verifier Verifier, env *Envelope, opts *VerifyOptions) ([]byte, error)

func WithLogVerifierFactory ¶ added in v0.6.0

func WithLogVerifierFactory(factory LogVerifierFactory) func(*verifier)

func WithReferrersRepo ¶

func WithReferrersRepo(repo string) func(*ReferrersResolver) error

func WithReplacedLayers ¶

func WithReplacedLayers(replaceLayers bool) func(*ManifestImageOptions) error

func WithSignatureVerifierFactory ¶ added in v0.6.0

func WithSignatureVerifierFactory(factory SignatureVerifierFactory) func(*verifier)

func WithTUFDownloader ¶ added in v0.6.0

func WithTUFDownloader(tufDownloader tuf.Downloader) func(*verifier)

func WithoutSubject ¶

func WithoutSubject(skipSubject bool) func(*ManifestImageOptions) error

Types ¶

type AnnotatedStatement ¶

type AnnotatedStatement struct {
	OCIDescriptor   *v1.Descriptor
	InTotoStatement *intoto.Statement
	Annotations     map[string]string
}

func ExtractAnnotatedStatements ¶

func ExtractAnnotatedStatements(path string, mediaType string) ([]*AnnotatedStatement, error)

func ExtractStatementsFromIndex ¶

func ExtractStatementsFromIndex(idx v1.ImageIndex, mediaType string) ([]*AnnotatedStatement, error)

type DockerDSSEExtension ¶

type DockerDSSEExtension struct {
	TL *tlog.DockerTLExtension `json:"tl"`
}

type Envelope ¶

type Envelope struct {
	PayloadType string       `json:"payloadType"`
	Payload     string       `json:"payload"`
	Signatures  []*Signature `json:"signatures"`
}

the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged.

func SignDSSE ¶

func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, opts *SigningOptions) (*Envelope, error)

SignDSSE signs a payload with a given signer and uploads the signature to the transparency log.

type EnvelopeReference ¶ added in v0.6.6

type EnvelopeReference struct {
	*Envelope
	ResourceDescriptor *ResourceDescriptor `json:"resourceDescriptor"`
}

func ExtractEnvelopes ¶

func ExtractEnvelopes(manifest *Manifest, predicateType string) ([]*EnvelopeReference, error)

type Extension ¶

type Extension struct {
	Kind string               `json:"kind"`
	Ext  *DockerDSSEExtension `json:"ext"`
}

type KeyMetadata ¶

type KeyMetadata struct {
	ID            string     `json:"id"`
	PEM           string     `json:"key"`
	From          time.Time  `json:"from"`
	To            *time.Time `json:"to"`
	Status        string     `json:"status"`
	SigningFormat string     `json:"signing-format"`
	Distrust      bool       `json:"distrust,omitempty"`
	// contains filtered or unexported fields
}

func (*KeyMetadata) ParsedKey ¶ added in v0.6.0

func (km *KeyMetadata) ParsedKey() (crypto.PublicKey, error)

type Keys ¶

type Keys []*KeyMetadata

type KeysMap ¶

type KeysMap map[string]*KeyMetadata

type Layer ¶

type Layer struct {
	Statement   *intoto.Statement
	Layer       v1.Layer
	Annotations map[string]string
}

type LayoutResolver ¶

type LayoutResolver struct {
	*Manifest
	*oci.ImageSpec
}

func NewOCILayoutResolver ¶

func NewOCILayoutResolver(src *oci.ImageSpec) (*LayoutResolver, error)

func (*LayoutResolver) Attestations ¶

func (r *LayoutResolver) Attestations(_ context.Context, predicateType string) ([]*EnvelopeReference, error)

func (*LayoutResolver) ImageDescriptor ¶

func (r *LayoutResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error)

func (*LayoutResolver) ImageName ¶

func (r *LayoutResolver) ImageName(_ context.Context) (string, error)

func (*LayoutResolver) ImagePlatform ¶

func (r *LayoutResolver) ImagePlatform(_ context.Context) (*v1.Platform, error)

type LogVerifierFactory ¶ added in v0.6.0

type LogVerifierFactory func(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error)

type Manifest ¶

type Manifest struct {
	OriginalDescriptor *v1.Descriptor
	OriginalLayers     []*Layer

	// accumulated during signing
	SignedLayers []*Layer
	// details of subject image
	SubjectName       string
	SubjectDescriptor *v1.Descriptor
}

Example ¶

package main

import (
	"context"
	"time"

	"github.com/docker/attest/attestation"
	"github.com/docker/attest/oci"
	"github.com/docker/attest/signerverifier"

	v1 "github.com/google/go-containerregistry/pkg/v1"

	intoto "github.com/in-toto/in-toto-golang/in_toto"
	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
)

func main() {
	// configure signerverifier
	// local signer (unsafe for production)
	signer, err := signerverifier.GenKeyPair()
	if err != nil {
		panic(err)
	}
	// example using AWS KMS signer
	// aws_arn := "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"
	// aws_region := "us-west-2"
	// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)

	// configure signing options
	opts := &attestation.SigningOptions{
		TransparencyLog: nil, // set this to log to a transparency log
	}

	ref := "docker/image-signer-verifier:latest"

	digest, err := v1.NewHash("sha256:7ae6b41655929ad8e1848064874a98ac3f68884996c79907f6525e3045f75390")
	if err != nil {
		panic(err)
	}
	desc := &v1.Descriptor{
		Digest:    digest,
		Size:      1234,
		MediaType: "application/vnd.oci.image.manifest.v1+json",
	}

	// the in-toto statement to be signed
	statement := &intoto.Statement{
		StatementHeader: intoto.StatementHeader{
			PredicateType: attestation.VSAPredicateType,
			Subject:       []intoto.Subject{{Name: ref, Digest: common.DigestSet{digest.Algorithm: digest.Hex}}},
			Type:          intoto.StatementInTotoV01,
		},
		Predicate: attestation.VSAPredicate{
			Verifier: attestation.VSAVerifier{
				ID: "test-verifier",
			},
			TimeVerified:       time.Now().UTC().Format(time.RFC3339),
			ResourceURI:        "some-uri",
			Policy:             attestation.VSAPolicy{URI: "some-uri"},
			VerificationResult: "PASSED",
			VerifiedLevels:     []string{"SLSA_BUILD_LEVEL_1"},
		},
	}

	// create a new manifest to hold the attestation
	manifest, err := attestation.NewManifest(desc)
	if err != nil {
		panic(err)
	}

	// sign and add the attestation to the manifest
	err = manifest.Add(context.Background(), signer, statement, opts)
	if err != nil {
		panic(err)
	}

	output, err := oci.ParseImageSpecs("docker/image-signer-verifier-referrers:latest")
	if err != nil {
		panic(err)
	}

	// save the manifest to the registry as a referrers artifact
	artifacts, err := manifest.BuildReferringArtifacts()
	if err != nil {
		panic(err)
	}
	ctx := context.Background()
	err = oci.SaveImagesNoTag(ctx, artifacts, output)
	if err != nil {
		panic(err)
	}
}

func FetchManifest ¶

func FetchManifest(ctx context.Context, image string, platform *v1.Platform) (*Manifest, error)

func ManifestsFromIndex ¶

func ManifestsFromIndex(index v1.ImageIndex) ([]*Manifest, error)

ManifestsFromIndex extracts all attestation manifests from an index.

func NewManifest ¶

func NewManifest(subject *v1.Descriptor) (*Manifest, error)

NewManifest creates a new attestation manifest from a descriptor.

func (*Manifest) Add ¶

func (manifest *Manifest) Add(ctx context.Context, signer dsse.SignerVerifier, statement *intoto.Statement, opts *SigningOptions) error

func (*Manifest) BuildImage ¶

func (manifest *Manifest) BuildImage(options ...func(*ManifestImageOptions) error) (v1.Image, error)

build an image with signed attestations, optionally replacing existing layers with signed layers.

func (*Manifest) BuildReferringArtifacts ¶

func (manifest *Manifest) BuildReferringArtifacts() ([]v1.Image, error)

build an image per attestation (layer) suitable for use as Referrers.

type ManifestImageOptions ¶

type ManifestImageOptions struct {
	// contains filtered or unexported fields
}

type MockRegistryResolver ¶

type MockRegistryResolver struct {
	Subject      *v1.Descriptor
	ImageNameStr string
	*MockResolver
}

func (*MockRegistryResolver) ImageDescriptor ¶

func (r *MockRegistryResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error)

func (*MockRegistryResolver) ImageName ¶

func (r *MockRegistryResolver) ImageName(_ context.Context) (string, error)

type MockResolver ¶

type MockResolver struct {
	Envs         []*EnvelopeReference
	Image        string
	PlatformFn   func() (*v1.Platform, error)
	DescriptorFn func() (*v1.Descriptor, error)
	ImangeNameFn func() (string, error)
}

func (MockResolver) Attestations ¶

func (r MockResolver) Attestations(_ context.Context, _ string) ([]*EnvelopeReference, error)

func (MockResolver) ImageDescriptor ¶

func (r MockResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error)

func (MockResolver) ImageName ¶

func (r MockResolver) ImageName(_ context.Context) (string, error)

func (MockResolver) ImagePlatform ¶

func (r MockResolver) ImagePlatform(_ context.Context) (*v1.Platform, error)

type Options ¶

type Options struct {
	NoReferrers   bool
	Attach        bool
	ReferrersRepo string
}

type ReferrersResolver ¶

type ReferrersResolver struct {
	oci.ImageDetailsResolver
	// contains filtered or unexported fields
}

func NewReferrersResolver ¶

func NewReferrersResolver(src oci.ImageDetailsResolver, options ...func(*ReferrersResolver) error) (*ReferrersResolver, error)

func (*ReferrersResolver) Attestations ¶

func (r *ReferrersResolver) Attestations(ctx context.Context, predicateType string) ([]*EnvelopeReference, error)

type RegistryResolver ¶

type RegistryResolver struct {
	*oci.RegistryImageDetailsResolver
	*Manifest
}

func NewRegistryResolver ¶

func NewRegistryResolver(src *oci.RegistryImageDetailsResolver) (*RegistryResolver, error)

func (*RegistryResolver) Attestations ¶

func (r *RegistryResolver) Attestations(ctx context.Context, predicateType string) ([]*EnvelopeReference, error)

type Resolver ¶

type Resolver interface {
	oci.ImageDetailsResolver
	Attestations(ctx context.Context, mediaType string) ([]*EnvelopeReference, error)
}

type ResourceDescriptor ¶ added in v0.6.6

type ResourceDescriptor struct {
	MediaType string            `json:"mediaType"`
	Digest    map[string]string `json:"digest"`
	URI       string            `json:"uri,omitempty"`
}

type Signature ¶

type Signature struct {
	KeyID     string     `json:"keyid"`
	Sig       string     `json:"sig"`
	Extension *Extension `json:"extension,omitempty"`
}

type SignatureVerifierFactory ¶ added in v0.6.0

type SignatureVerifierFactory func(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error)

type SigningOptions ¶

type SigningOptions struct {
	// set this in order to log to a transparency log
	TransparencyLog tlog.TransparencyLog
}

type TransparencyLogKind ¶ added in v0.6.0

type TransparencyLogKind string

type VSAPolicy ¶

type VSAPolicy struct {
	URI              string            `json:"uri,omitempty"`
	Digest           map[string]string `json:"digest"`
	DownloadLocation string            `json:"downloadLocation,omitempty"`
}

type VSAPredicate ¶

type VSAPredicate struct {
	Verifier           VSAVerifier          `json:"verifier"`
	TimeVerified       string               `json:"timeVerified"`
	ResourceURI        string               `json:"resourceUri"`
	Policy             VSAPolicy            `json:"policy"`
	InputAttestations  []ResourceDescriptor `json:"inputAttestations,omitempty"`
	VerificationResult string               `json:"verificationResult"`
	VerifiedLevels     []string             `json:"verifiedLevels"`
}

type VSAVerifier ¶

type VSAVerifier struct {
	ID      string          `json:"id"`
	Version VerifierVersion `json:"version"`
}

type Verifier ¶ added in v0.6.0

type Verifier interface {
	GetSignatureVerifier(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error)
	GetLogVerifier(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error)
	VerifySignature(ctx context.Context, publicKey crypto.PublicKey, data []byte, signature []byte, opts *VerifyOptions) error
	VerifyLog(ctx context.Context, keyMeta *KeyMetadata, data []byte, sig *Signature, opts *VerifyOptions) error
}

func NewVerfier ¶ added in v0.6.0

func NewVerfier(options ...func(*verifier)) (Verifier, error)

type VerifierVersion ¶ added in v0.6.7

type VerifierVersion map[string]string

func GetVerifierVersion ¶ added in v0.6.7

func GetVerifierVersion(fetcher version.Fetcher) (VerifierVersion, error)

type VerifyOptions ¶

type VerifyOptions struct {
	Keys            []*KeyMetadata      `json:"keys"`
	SkipTL          bool                `json:"skip_tl"`
	TransparencyLog TransparencyLogKind `json:"tl"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL