Documentation
¶
Index ¶
- Constants
- func HashData(data []byte) []byte
- func ParseCertificateDER(derBytes []byte) (*ecdsa.PublicKey, error)
- func ParsePublicKey(pemEncodedPubKey []byte) (*ecdsa.PublicKey, error)
- func VerifySignature(pubKey *ecdsa.PublicKey, hash, signature []byte) (bool, error)
- type Bundle
- type Payload
- type Rekor
- type SigstoreBundle
- type SigstoreMessageDigest
- type SigstoreMessageSignature
- type SigstorePublicKeyIdentifier
- type SigstoreVerificationMaterial
- type SigstoreX509Certificate
- type SigstoreX509CertificateChain
Constants ¶
const SigstoreBundleMediaTypePrefix = "application/vnd.dev.sigstore.bundle"
SigstoreBundleMediaTypePrefix is the media type prefix for Sigstore Protobuf Bundle format (v0.1/v0.2/v0.3).
Variables ¶
This section is empty.
Functions ¶
func ParseCertificateDER ¶ added in v1.11.0
ParseCertificateDER parses a raw DER-encoded X.509 certificate and returns its ECDSA public key. This is used for Sigstore Protobuf Bundles, which store the signing certificate as base64-encoded raw DER bytes rather than PEM.
Types ¶
type Bundle ¶
type Bundle struct {
Signature string `json:"base64Signature"`
Certificate string `json:"cert"`
RekorBundle Rekor `json:"rekorBundle"`
}
Bundle is the legacy cosign bundle format (produced with cosign sign-blob --bundle). The certificate is PEM-encoded and the signature is base64.
type SigstoreBundle ¶ added in v1.11.0
type SigstoreBundle struct {
MediaType string `json:"mediaType"`
VerificationMaterial SigstoreVerificationMaterial `json:"verificationMaterial"`
MessageSignature *SigstoreMessageSignature `json:"messageSignature,omitempty"`
}
SigstoreBundle is the new Sigstore Protobuf Bundle format (application/vnd.dev.sigstore.bundle+json). It bundles the verification material (certificate or public key) with the message signature and optional transparency log entries.
Spec: https://github.com/sigstore/protobuf-specs
func (*SigstoreBundle) IsSigstoreBundle ¶ added in v1.11.0
func (b *SigstoreBundle) IsSigstoreBundle() bool
IsSigstoreBundle returns true when the bundle's media type identifies it as a Sigstore Protobuf Bundle.
func (*SigstoreBundle) LeafCertificate ¶ added in v1.11.0
func (b *SigstoreBundle) LeafCertificate() string
LeafCertificate returns the raw (base64 DER) leaf signing certificate from either the v0.3+ `certificate` field or the legacy v0.1 `x509CertificateChain.certificates[0]` location.
type SigstoreMessageDigest ¶ added in v1.11.0
type SigstoreMessageSignature ¶ added in v1.11.0
type SigstoreMessageSignature struct {
MessageDigest *SigstoreMessageDigest `json:"messageDigest,omitempty"`
Signature string `json:"signature"`
}
type SigstorePublicKeyIdentifier ¶ added in v1.11.0
type SigstorePublicKeyIdentifier struct {
Hint string `json:"hint"`
}
type SigstoreVerificationMaterial ¶ added in v1.11.0
type SigstoreVerificationMaterial struct {
// Certificate is the leaf signing certificate (raw DER, base64 encoded in JSON).
Certificate *SigstoreX509Certificate `json:"certificate,omitempty"`
// PublicKey references a public key by hint (used for keyed signing).
PublicKey *SigstorePublicKeyIdentifier `json:"publicKey,omitempty"`
// X509CertificateChain is the legacy v0.1 location for the signing cert
// (kept for compatibility with bundles emitted by older tooling).
X509CertificateChain *SigstoreX509CertificateChain `json:"x509CertificateChain,omitempty"`
}
type SigstoreX509Certificate ¶ added in v1.11.0
type SigstoreX509Certificate struct {
RawBytes string `json:"rawBytes"`
}
type SigstoreX509CertificateChain ¶ added in v1.11.0
type SigstoreX509CertificateChain struct {
Certificates []SigstoreX509Certificate `json:"certificates,omitempty"`
}
Source Files