Documentation
¶
Overview ¶
provides functionality for offline attestation verification using pre-downloaded Sigstore bundles and trusted roots.
provides functionality for offline attestation verification using pre-downloaded Sigstore bundles and trusted roots
Index ¶
- func LoadBundles(bundlePath string) ([]*bundle.Bundle, error)
- func RunCommand(cmd *cobra.Command, args []string) error
- func WriteBundles(bundles []*bundle.Bundle, path, format string) error
- type AttestationResult
- type CertificateIdentity
- type OfflineVerifier
- func (ov *OfflineVerifier) Bundles() []*bundle.Bundle
- func (ov *OfflineVerifier) LoadBundlesFromFile(bundlePath string) error
- func (ov *OfflineVerifier) VerifyArtifact(artifactPath string) (*VerificationResult, error)
- func (ov *OfflineVerifier) VerifyArtifactDigest(digest string) (*VerificationResult, error)
- type Subject
- type VerificationResult
- type VerifyOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LoadBundles ¶
loads sigstore bundles from a JSON/JSONL file or directory
func RunCommand ¶
handles the offline command execution
Types ¶
type AttestationResult ¶
type AttestationResult struct {
Type string `json:"type"`
Subject *Subject `json:"subject,omitempty"`
Verified bool `json:"verified"`
SignatureValid bool `json:"signatureValid"`
CertificateValid bool `json:"certificateValid"`
TLogVerified bool `json:"tlogVerified"`
Error string `json:"error,omitempty"`
Warnings []string `json:"warnings,omitempty"`
}
result of verifying a single attestation
type CertificateIdentity ¶
type CertificateIdentity struct {
SubjectAlternativeName string `json:"subjectAlternativeName"`
Issuer string `json:"issuer"`
}
certificate identity information
type OfflineVerifier ¶
type OfflineVerifier struct {
// contains filtered or unexported fields
}
offline attestation verification
func NewOfflineVerifier ¶
func NewOfflineVerifier(trustedRootPath string, options VerifyOptions) (*OfflineVerifier, error)
offline verifier with trusted root
func (*OfflineVerifier) Bundles ¶
func (ov *OfflineVerifier) Bundles() []*bundle.Bundle
returns the loaded bundles (avoids reloading from file)
func (*OfflineVerifier) LoadBundlesFromFile ¶
func (ov *OfflineVerifier) LoadBundlesFromFile(bundlePath string) error
loads bundles from a file
func (*OfflineVerifier) VerifyArtifact ¶
func (ov *OfflineVerifier) VerifyArtifact(artifactPath string) (*VerificationResult, error)
verifies an artifact file or directory against loaded bundles
func (*OfflineVerifier) VerifyArtifactDigest ¶
func (ov *OfflineVerifier) VerifyArtifactDigest(digest string) (*VerificationResult, error)
verifies an artifact by its digest (useful for container images)
type VerificationResult ¶
type VerificationResult struct {
Verified bool `json:"verified"`
Attestations []AttestationResult `json:"attestations"`
CertificateIdentity interface{} `json:"certificateIdentity,omitempty"`
PolicyCompliance map[string]bool `json:"policyCompliance,omitempty"`
Errors []string `json:"errors,omitempty"`
Warnings []string `json:"warnings,omitempty"`
}
result of offline verification
type VerifyOptions ¶
type VerifyOptions struct {
CertIdentity string // expected certificate identity (workflow URL)
CertOIDCIssuer string // expected OIDC issuer
SkipTLogVerify bool // force-skip transparency-log verification even when a bundle carries an entry (programmatic only; no CLI flag)
Quiet bool // suppress output messages
SourceRef string // expected source repository ref (e.g., refs/heads/main)
TrustedRootSource string // trusted root source: github, public, or auto
AcceptedIdentities []string // resolved signer allowlist (union of --cert-identity and the list); each attestation must match at least one (OR semantics)
}
options for offline verification