Documentation
¶
Index ¶
Constants ¶
View Source
const ( GitHubActionsIssuer = "https://token.actions.githubusercontent.com" GoogleOIDCIssuer = "https://accounts.google.com" GitHubOAuthIssuer = "https://github.com/login/oauth" GitLabIssuer = "https://gitlab.com" )
known OIDC issuers for auto-detection
Variables ¶
View Source
var GithubTrustedRoot []byte
View Source
var PublicSigstoreTrustedRoot []byte
static snapshot of the public-good Sigstore trusted root. unlike the GitHub root (refreshed live via FetchTrustedRoot), this has no refresh path, so a future Sigstore key rotation requires re-vendoring this file; longer term it should be fetched live from the Sigstore TUF repo.
Functions ¶
func GetPublicTrustedRoot ¶
func GetPublicTrustedRoot() []byte
returns embedded public sigstore trusted root
func GetTrustedRoot ¶
returns the GitHub trusted root with fallback mechanism. first attempts to fetch the latest root dynamically, and falls back to the embedded root if the dynamic fetch fails.
Types ¶
type TrustedRootSource ¶
type TrustedRootSource string
trusted root source selection
const ( TrustedRootSourceGitHub TrustedRootSource = "github" TrustedRootSourcePublic TrustedRootSource = "public" TrustedRootSourceAuto TrustedRootSource = "auto" )
func DetectTrustedRootFromCert ¶
func DetectTrustedRootFromCert(certPEM []byte) (TrustedRootSource, error)
detects trusted root from certificate's OIDC issuer
func SelectTrustedRoot ¶
func SelectTrustedRoot(source TrustedRootSource, certPEM []byte) ([]byte, TrustedRootSource, error)
selects trusted root based on source and optional certificate
Click to show internal directories.
Click to hide internal directories.