attestation

package

v0.1.7 Latest Latest Go to latest Published: Jul 11, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/docker/attest

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func AddImageToIndex(idx v1.ImageIndex, manifest *AttestationManifest) (v1.ImageIndex, error)
func AddImagesToIndex(idx v1.ImageIndex, manifests []*AttestationManifest) (v1.ImageIndex, error)
func DSSEMediaType(predicateType string) (string, error)
func ToVSAResourceURI(sub intoto.Subject) (string, error)
func ValidPayloadType(payloadType string) bool
func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte, error)
type AttestationImage
type AttestationLayer
- func GetAttestationsFromImage(image v1.Image) ([]*AttestationLayer, error)
type AttestationManifest
- func GetAttestationManifestsFromIndex(index v1.ImageIndex) ([]*AttestationManifest, error)
- func (manifest *AttestationManifest) AddAttestation(ctx context.Context, signer dsse.SignerVerifier, statement *intoto.Statement, ...) error
- func (manifest *AttestationManifest) AddOrReplaceLayer(signedLayer *AttestationLayer, opts *SigningOptions) error
type DockerDsseExtension
type DockerTlExtension
type Envelope
- func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, ...) (*Envelope, error)
- func SignInTotoStatement(ctx context.Context, statement *intoto.Statement, signer dsse.SignerVerifier, ...) (*Envelope, error)
type Extension
type KeyMetadata
type Keys
type KeysMap
type Signature
type SignedAttestationImage
type SigningOptions
type VSAInputAttestation
type VSAPolicy
type VSAPredicate
type VSAVerifier
type VerifyOptions

Constants ¶

View Source

const (
	DockerReferenceType           = "vnd.docker.reference.type"
	AttestationManifestType       = "attestation-manifest"
	InTotoPredicateType           = "in-toto.io/predicate-type"
	DockerReferenceDigest         = "vnd.docker.reference.digest"
	DockerDsseExtKind             = "application/vnd.docker.attestation-verification.v1+json"
	RekorTlExtKind                = "Rekor"
	OCIDescriptorDSSEMediaType    = ociv1.MediaTypeDescriptor + "+dsse"
	InTotoReferenceLifecycleStage = "vnd.docker.lifecycle-stage"
	LifecycleStageExperimental    = "experimental"
)

View Source

const (
	VSAPredicateType = "https://slsa.dev/verification_summary/v1"
)

Variables ¶

This section is empty.

Functions ¶

func AddImageToIndex ¶ added in v0.1.7

func AddImageToIndex(
	idx v1.ImageIndex,
	manifest *AttestationManifest,
) (v1.ImageIndex, error)

func AddImagesToIndex ¶ added in v0.1.7

func AddImagesToIndex(
	idx v1.ImageIndex,
	manifests []*AttestationManifest,
) (v1.ImageIndex, error)

func DSSEMediaType ¶ added in v0.1.3

func DSSEMediaType(predicateType string) (string, error)

func ToVSAResourceURI ¶ added in v0.1.3

func ToVSAResourceURI(sub intoto.Subject) (string, error)

func ValidPayloadType ¶

func ValidPayloadType(payloadType string) bool

func VerifyDSSE ¶

func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte, error)

Types ¶

type AttestationImage ¶ added in v0.1.3

type AttestationImage struct {
	Layers []*AttestationLayer
	Image  v1.Image
}

type AttestationLayer ¶ added in v0.1.3

type AttestationLayer struct {
	Statement   *intoto.Statement
	Layer       v1.Layer
	MediaType   types.MediaType
	Annotations map[string]string
}

func GetAttestationsFromImage ¶ added in v0.1.3

func GetAttestationsFromImage(image v1.Image) ([]*AttestationLayer, error)

GetAttestationsFromImage extracts all attestation layers from an image

type AttestationManifest ¶ added in v0.1.3

type AttestationManifest struct {
	Descriptor        *v1.Descriptor
	Attestation       *AttestationImage
	MediaType         types.MediaType
	Annotations       map[string]string
	Digest            v1.Hash
	SubjectDescriptor *v1.Descriptor
}

func GetAttestationManifestsFromIndex ¶ added in v0.1.3

func GetAttestationManifestsFromIndex(index v1.ImageIndex) ([]*AttestationManifest, error)

GetAttestationManifestsFromIndex extracts all attestation manifests from an index

func (*AttestationManifest) AddAttestation ¶ added in v0.1.7

func (manifest *AttestationManifest) AddAttestation(ctx context.Context, signer dsse.SignerVerifier, statement *intoto.Statement, opts *SigningOptions) error

func (*AttestationManifest) AddOrReplaceLayer ¶ added in v0.1.7

func (manifest *AttestationManifest) AddOrReplaceLayer(signedLayer *AttestationLayer, opts *SigningOptions) error

AddOrReplaceLayer adds signed layers to a new or existing attestation image NOTE: the pointers attestation.AttestationLayer.Statement are compared when replacing, so make sure you are signing a layer extracted from the original attestation-manifest image!

type DockerDsseExtension ¶

type DockerDsseExtension struct {
	Tl DockerTlExtension `json:"tl"`
}

type DockerTlExtension ¶

type DockerTlExtension struct {
	Kind string `json:"kind"`
	Data any    `json:"data"`
}

type Envelope ¶

type Envelope struct {
	PayloadType string      `json:"payloadType"`
	Payload     string      `json:"payload"`
	Signatures  []Signature `json:"signatures"`
}

the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged

func SignDSSE ¶

func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, opts *SigningOptions) (*Envelope, error)

SignDSSE signs a payload with a given signer and uploads the signature to the transparency log

func SignInTotoStatement ¶ added in v0.1.7

func SignInTotoStatement(ctx context.Context, statement *intoto.Statement, signer dsse.SignerVerifier, opts *SigningOptions) (*Envelope, error)

type Extension ¶

type Extension struct {
	Kind string              `json:"kind"`
	Ext  DockerDsseExtension `json:"ext"`
}

type KeyMetadata ¶

type KeyMetadata struct {
	ID            string     `json:"id"`
	PEM           string     `json:"key"`
	From          time.Time  `json:"from"`
	To            *time.Time `json:"to"`
	Status        string     `json:"status"`
	SigningFormat string     `json:"signing-format"`
	Distrust      bool       `json:"distrust,omitempty"`
}

type Keys ¶

type Keys []KeyMetadata

type KeysMap ¶

type KeysMap map[string]KeyMetadata

type Signature ¶

type Signature struct {
	KeyID     string    `json:"keyid"`
	Sig       string    `json:"sig"`
	Extension Extension `json:"extension"`
}

type SignedAttestationImage ¶ added in v0.1.5

type SignedAttestationImage struct {
	Image               v1.Image
	Descriptor          *v1.Descriptor
	AttestationManifest *AttestationManifest
}

type SigningOptions ¶ added in v0.1.5

type SigningOptions struct {
	// replace unsigned statements with signed attestations
	Replace bool
	// don't log to the configured transparency log
	SkipTL bool
	// don't add OCI subject field to attestation image
	SkipSubject bool
}

type VSAInputAttestation ¶ added in v0.1.3

type VSAInputAttestation struct {
	Digest    map[string]string `json:"digest"`
	MediaType string            `json:"mediaType"`
}

type VSAPolicy ¶ added in v0.1.3

type VSAPolicy struct {
	URI string `json:"uri"`
}

type VSAPredicate ¶ added in v0.1.3

type VSAPredicate struct {
	Verifier           VSAVerifier           `json:"verifier"`
	TimeVerified       string                `json:"timeVerified"`
	ResourceUri        string                `json:"resourceUri"`
	Policy             VSAPolicy             `json:"policy"`
	InputAttestations  []VSAInputAttestation `json:"inputAttestations"`
	VerificationResult string                `json:"verificationResult"`
	VerifiedLevels     []string              `json:"verifiedLevels"`
}

type VSAVerifier ¶ added in v0.1.3

type VSAVerifier struct {
	ID string `json:"id"`
}

type VerifyOptions ¶ added in v0.1.5

type VerifyOptions struct {
	Keys   []KeyMetadata `json:"keys"`
	SkipTL bool          `json:"skip_tl"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL