attest

package

v0.1.5 Latest Latest Go to latest Published: Jun 21, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/docker/attest

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func AddAttestation(ctx context.Context, idx v1.ImageIndex, statement *intoto.Statement, ...) (v1.ImageIndex, error)
func Sign(ctx context.Context, idx v1.ImageIndex, signer dsse.SignerVerifier, ...) (v1.ImageIndex, error)
func SignLayersAndAddToImage(ctx context.Context, attestationLayers []attestation.AttestationLayer, ...) (v1.Image, *v1.Descriptor, error)
func SignedAttestationImages(ctx context.Context, idx v1.ImageIndex, signer dsse.SignerVerifier, ...) ([]*attestation.SignedAttestationImage, error)
type Outcome
- func (o Outcome) StringForVSA() (string, error)
type VerificationResult

Constants ¶

View Source

const (
	InTotoReferenceLifecycleStage = "vnd.docker.lifecycle-stage"
	LifecycleStageExperimental    = "experimental"
)

Variables ¶

This section is empty.

Functions ¶

func AddAttestation ¶ added in v0.1.4

func AddAttestation(ctx context.Context, idx v1.ImageIndex, statement *intoto.Statement, signer dsse.SignerVerifier) (v1.ImageIndex, error)

func Sign ¶

func Sign(ctx context.Context, idx v1.ImageIndex, signer dsse.SignerVerifier, opts *attestation.SigningOptions) (v1.ImageIndex, error)

Example (Remote) ¶

package main

import (
	"context"

	"github.com/docker/attest/pkg/attest"
	"github.com/docker/attest/pkg/attestation"
	"github.com/docker/attest/pkg/mirror"
	"github.com/docker/attest/pkg/oci"
	"github.com/docker/attest/pkg/signerverifier"

	v1 "github.com/google/go-containerregistry/pkg/v1"
	"github.com/google/go-containerregistry/pkg/v1/empty"
	"github.com/google/go-containerregistry/pkg/v1/mutate"
)

func main() {
	// configure signerverifier
	// local signer (unsafe for production)
	signer, err := signerverifier.GenKeyPair()
	if err != nil {
		panic(err)
	}
	// example using AWS KMS signer
	// aws_arn := "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"
	// aws_region := "us-west-2"
	// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)

	// configure signing options
	opts := &attestation.SigningOptions{
		Replace: true, // replace unsigned intoto statements with signed intoto attestations, otherwise leave in place
	}

	// load image index with unsigned attestation-manifests
	ref := "docker/image-signer-verifier:latest"
	att, err := oci.SubjectIndexFromRemote(ref)
	if err != nil {
		panic(err)
	}
	// example for local image index
	// path := "/myimage"
	// att, err := oci.AttestationIndexFromLocal(path)

	// sign attestations
	signedImageIndex, err := attest.Sign(context.Background(), att.Index, signer, opts)
	if err != nil {
		panic(err)
	}

	// push image index with signed attestation-manifests
	err = mirror.PushIndexToRegistry(signedImageIndex, ref)
	if err != nil {
		panic(err)
	}
	// output image index to filesystem (optional)
	path := "/myimage"
	idx := v1.ImageIndex(empty.Index)
	idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
		Add: signedImageIndex,
		Descriptor: v1.Descriptor{
			Annotations: map[string]string{
				oci.OciReferenceTarget: att.Name,
			},
		},
	})
	err = mirror.SaveIndexAsOCILayout(idx, path)
	if err != nil {
		panic(err)
	}
}

func SignLayersAndAddToImage ¶ added in v0.1.5

func SignLayersAndAddToImage(
	ctx context.Context,
	attestationLayers []attestation.AttestationLayer,
	manifest attestation.AttestationManifest,
	signer dsse.SignerVerifier,
	opts *attestation.SigningOptions) (v1.Image, *v1.Descriptor, error)

func SignedAttestationImages ¶ added in v0.1.5

func SignedAttestationImages(ctx context.Context, idx v1.ImageIndex, signer dsse.SignerVerifier, opts *attestation.SigningOptions) ([]*attestation.SignedAttestationImage, error)

Types ¶

type Outcome ¶ added in v0.1.4

type Outcome string

const (
	OutcomeSuccess  Outcome = "success"
	OutcomeFailure  Outcome = "failure"
	OutcomeNoPolicy Outcome = "no_policy"
)

func (Outcome) StringForVSA ¶ added in v0.1.4

func (o Outcome) StringForVSA() (string, error)

type VerificationResult ¶ added in v0.1.4

type VerificationResult struct {
	Outcome    Outcome
	Policy     *policy.Policy
	Input      *policy.PolicyInput
	VSA        *intoto.Statement
	Violations []policy.Violation
}

func ToPolicyResult ¶ added in v0.1.4

func ToPolicyResult(p *policy.Policy, input *policy.PolicyInput, result *policy.Result) (*VerificationResult, error)

func Verify ¶

func Verify(ctx context.Context, src *oci.ImageSpec, opts *policy.PolicyOptions) (result *VerificationResult, err error)

Example (Remote) ¶

package main

import (
	"context"
	"fmt"
	"os"
	"path/filepath"

	"github.com/docker/attest/internal/embed"
	"github.com/docker/attest/pkg/attest"
	"github.com/docker/attest/pkg/oci"
	"github.com/docker/attest/pkg/policy"
	"github.com/docker/attest/pkg/tuf"
)

func createTufClient(outputPath string) (*tuf.TufClient, error) {
	// using oci tuf metadata and targets
	metadataURI := "registry-1.docker.io/docker/tuf-metadata:latest"
	targetsURI := "registry-1.docker.io/docker/tuf-targets"
	// example using http tuf metadata and targets
	// metadataURI := "https://docker.github.io/tuf-staging/metadata"
	// targetsURI := "https://docker.github.io/tuf-staging/targets"

	return tuf.NewTufClient(embed.StagingRoot, outputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
}

func main() {
	// create a tuf client
	home, err := os.UserHomeDir()
	if err != nil {
		panic(err)
	}
	tufOutputPath := filepath.Join(home, ".docker", "tuf")
	tufClient, err := createTufClient(tufOutputPath)
	if err != nil {
		panic(err)
	}

	// create a resolver for remote attestations
	image := "registry-1.docker.io/library/notary:server"
	platform := "linux/amd64"

	// configure policy options
	opts := &policy.PolicyOptions{
		TufClient:       tufClient,
		LocalTargetsDir: filepath.Join(home, ".docker", "policy"), // location to store policy files downloaded from TUF
		LocalPolicyDir:  "",                                       // overrides TUF policy for local policy files if set
		PolicyId:        "",                                       // set to ignore policy mapping and select a policy by id
	}

	// verify attestations
	src, err := oci.ParseImageSpec(image, oci.WithPlatform(platform))
	if err != nil {
		panic(err)
	}
	result, err := attest.Verify(context.Background(), src, opts)
	if err != nil {
		panic(err)
	}
	switch result.Outcome {
	case attest.OutcomeSuccess:
		fmt.Println("policy passed")
	case attest.OutcomeNoPolicy:
		fmt.Println("no policy for image")
	case attest.OutcomeFailure:
		fmt.Println("policy failed")
	}
}

func VerifyAttestations ¶

func VerifyAttestations(ctx context.Context, resolver oci.AttestationResolver, pctx *policy.Policy) (*VerificationResult, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL