attestation

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 8, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Examples

Constants

View Source 
const (
	DockerReferenceType           = "vnd.docker.reference.type"
	AttestationManifestType       = "attestation-manifest"
	InTotoPredicateType           = "in-toto.io/predicate-type"
	DockerReferenceDigest         = "vnd.docker.reference.digest"
	DockerDSSEExtKind             = "application/vnd.docker.attestation-verification.v1+json"
	RekorTLExtKind                = "Rekor"
	OCIDescriptorDSSEMediaType    = ociv1.MediaTypeDescriptor + "+dsse"
	InTotoReferenceLifecycleStage = "vnd.docker.lifecycle-stage"
	LifecycleStageExperimental    = "experimental"
)
View Source 
const (
	VSAPredicateType = "https://slsa.dev/verification_summary/v1"
)

Variables

This section is empty.

Functions

func DSSEMediaType added in v0.1.3 

func DSSEMediaType(predicateType string) (string, error)

func ToVSAResourceURI added in v0.1.3 

func ToVSAResourceURI(sub intoto.Subject) (string, error)

func UpdateIndexImage added in v0.1.8 

func UpdateIndexImage(
	idx v1.ImageIndex,
	manifest *Manifest,
	options ...func(*ManifestImageOptions) error,
) (v1.ImageIndex, error)

func UpdateIndexImages added in v0.1.8 

func UpdateIndexImages(idx v1.ImageIndex, manifest []*Manifest, options ...func(*ManifestImageOptions) error) (v1.ImageIndex, error)

func ValidPayloadType 

func ValidPayloadType(payloadType string) bool

func VerifyDSSE 

func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte, error)

func WithReplacedLayers added in v0.1.8 

func WithReplacedLayers(replaceLayers bool) func(*ManifestImageOptions) error

func WithoutSubject added in v0.1.8 

func WithoutSubject(skipSubject bool) func(*ManifestImageOptions) error

Types

type DockerDSSEExtension added in v0.2.0 

type DockerDSSEExtension struct {
	TL *DockerTLExtension `json:"tl"`
}

type DockerTLExtension added in v0.2.0 

type DockerTLExtension struct {
	Kind string `json:"kind"`
	Data any    `json:"data"`
}

type EmptyConfigImage added in v0.1.8 

type EmptyConfigImage struct {
	v1.Image
}

func (*EmptyConfigImage) Digest added in v0.3.0 

func (i *EmptyConfigImage) Digest() (v1.Hash, error)

func (*EmptyConfigImage) Manifest added in v0.1.8 

func (i *EmptyConfigImage) Manifest() (*v1.Manifest, error)

func (*EmptyConfigImage) RawConfigFile added in v0.1.8 

func (i *EmptyConfigImage) RawConfigFile() ([]byte, error)

func (*EmptyConfigImage) RawManifest added in v0.1.8 

func (i *EmptyConfigImage) RawManifest() ([]byte, error)

type Envelope 

type Envelope struct {
	PayloadType string       `json:"payloadType"`
	Payload     string       `json:"payload"`
	Signatures  []*Signature `json:"signatures"`
}

the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged.

func SignDSSE 

func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, opts *SigningOptions) (*Envelope, error)

SignDSSE signs a payload with a given signer and uploads the signature to the transparency log.

func SignInTotoStatement added in v0.1.7 

func SignInTotoStatement(ctx context.Context, statement *intoto.Statement, signer dsse.SignerVerifier, opts *SigningOptions) (*Envelope, error)

type Extension 

type Extension struct {
	Kind string               `json:"kind"`
	Ext  *DockerDSSEExtension `json:"ext"`
}

type KeyMetadata 

type KeyMetadata struct {
	ID            string     `json:"id"`
	PEM           string     `json:"key"`
	From          time.Time  `json:"from"`
	To            *time.Time `json:"to"`
	Status        string     `json:"status"`
	SigningFormat string     `json:"signing-format"`
	Distrust      bool       `json:"distrust,omitempty"`
}

type Keys 

type Keys []*KeyMetadata

type KeysMap 

type KeysMap map[string]*KeyMetadata

type Layer added in v0.2.0 

type Layer struct {
	Statement   *intoto.Statement
	Layer       v1.Layer
	Annotations map[string]string
}

func GetAttestationsFromImage added in v0.1.3 

func GetAttestationsFromImage(image v1.Image) ([]*Layer, error)

GetAttestationsFromImage extracts all attestation layers from an image.

type Manifest added in v0.2.0 

type Manifest struct {
	OriginalDescriptor *v1.Descriptor
	OriginalLayers     []*Layer

	// accumulated during signing
	SignedLayers []*Layer
	// details of subject image
	SubjectName       string
	SubjectDescriptor *v1.Descriptor
}
Example 
package main

import (
	"context"
	"time"

	"github.com/docker/attest/pkg/attest"
	"github.com/docker/attest/pkg/attestation"
	"github.com/docker/attest/pkg/oci"
	"github.com/docker/attest/pkg/signerverifier"

	v1 "github.com/google/go-containerregistry/pkg/v1"

	intoto "github.com/in-toto/in-toto-golang/in_toto"
	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
)

func main() {
	// configure signerverifier
	// local signer (unsafe for production)
	signer, err := signerverifier.GenKeyPair()
	if err != nil {
		panic(err)
	}
	// example using AWS KMS signer
	// aws_arn := "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"
	// aws_region := "us-west-2"
	// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)

	// configure signing options
	opts := &attestation.SigningOptions{
		SkipTL: true, // skip trust logging to a transparency log
	}

	ref := "docker/image-signer-verifier:latest"

	digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
	if err != nil {
		panic(err)
	}
	desc := &v1.Descriptor{
		Digest:    digest,
		Size:      1234,
		MediaType: "application/vnd.oci.image.manifest.v1+json",
	}

	// the in-toto statement to be signed
	statement := &intoto.Statement{
		StatementHeader: intoto.StatementHeader{
			PredicateType: attestation.VSAPredicateType,
			Subject:       []intoto.Subject{{Name: ref, Digest: common.DigestSet{digest.Algorithm: digest.Hex}}},
			Type:          intoto.StatementInTotoV01,
		},
		Predicate: attestation.VSAPredicate{
			Verifier: attestation.VSAVerifier{
				ID: "test-verifier",
			},
			TimeVerified:       time.Now().UTC().Format(time.RFC3339),
			ResourceURI:        "some-uri",
			Policy:             attestation.VSAPolicy{URI: "some-uri"},
			VerificationResult: "PASSED",
			VerifiedLevels:     []string{"SLSA_BUILD_LEVEL_1"},
		},
	}

	// create a new manifest to hold the attestation
	manifest, err := attest.NewAttestationManifest(desc)
	if err != nil {
		panic(err)
	}

	// sign and add the attestation to the manifest
	err = manifest.AddAttestation(context.Background(), signer, statement, opts)
	if err != nil {
		panic(err)
	}

	output, err := oci.ParseImageSpecs("docker/image-signer-verifier-referrers:latest")
	if err != nil {
		panic(err)
	}

	// save the manifest to the registry as a referrers artifact
	err = oci.SaveReferrers(manifest, output)
	if err != nil {
		panic(err)
	}
}

func GetAttestationManifestsFromIndex added in v0.1.3 

func GetAttestationManifestsFromIndex(index v1.ImageIndex) ([]*Manifest, error)

GetAttestationManifestsFromIndex extracts all attestation manifests from an index.

func (*Manifest) AddAttestation added in v0.2.0 

func (manifest *Manifest) AddAttestation(ctx context.Context, signer dsse.SignerVerifier, statement *intoto.Statement, opts *SigningOptions) error

func (*Manifest) BuildAttestationImage added in v0.2.0 

func (manifest *Manifest) BuildAttestationImage(options ...func(*ManifestImageOptions) error) (v1.Image, error)

build an image with signed attestations, optionally replacing existing layers with signed layers.

func (*Manifest) BuildReferringArtifacts added in v0.2.0 

func (manifest *Manifest) BuildReferringArtifacts() ([]v1.Image, error)

build an image per attestation (layer) suitable for use as Referrers.

type ManifestImageOptions added in v0.2.0 

type ManifestImageOptions struct {
	// contains filtered or unexported fields
}

type Signature 

type Signature struct {
	KeyID     string     `json:"keyid"`
	Sig       string     `json:"sig"`
	Extension *Extension `json:"extension,omitempty"`
}

type SigningOptions added in v0.1.5 

type SigningOptions struct {
	// don't log to the configured transparency log
	SkipTL bool
}

type VSAInputAttestation added in v0.1.3 

type VSAInputAttestation struct {
	Digest    map[string]string `json:"digest"`
	MediaType string            `json:"mediaType"`
}

type VSAPolicy added in v0.1.3 

type VSAPolicy struct {
	URI string `json:"uri"`
}

type VSAPredicate added in v0.1.3 

type VSAPredicate struct {
	Verifier           VSAVerifier           `json:"verifier"`
	TimeVerified       string                `json:"timeVerified"`
	ResourceURI        string                `json:"resourceUri"`
	Policy             VSAPolicy             `json:"policy"`
	InputAttestations  []VSAInputAttestation `json:"inputAttestations"`
	VerificationResult string                `json:"verificationResult"`
	VerifiedLevels     []string              `json:"verifiedLevels"`
}

type VSAVerifier added in v0.1.3 

type VSAVerifier struct {
	ID string `json:"id"`
}

type VerifyOptions added in v0.1.5 

type VerifyOptions struct {
	Keys   []*KeyMetadata `json:"keys"`
	SkipTL bool           `json:"skip_tl"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.