offline

package
v0.36.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 27, 2026 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Overview

provides functionality for offline attestation verification using pre-downloaded Sigstore bundles and trusted roots.

provides functionality for offline attestation verification using pre-downloaded Sigstore bundles and trusted roots

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ApplyFailOnPolicyError added in v0.32.3

func ApplyFailOnPolicyError(cmd *cobra.Command)

ApplyFailOnPolicyError resolves the fail-on-policy-error setting into viper.

func LoadBundles

func LoadBundles(bundlePath string) ([]*bundle.Bundle, error)

loads sigstore bundles from a JSON/JSONL file or directory

func RunCommand

func RunCommand(cmd *cobra.Command, args []string) error

handles the offline command execution

func WriteBundles

func WriteBundles(bundles []*bundle.Bundle, path, format string) error

writes sigstore bundles to a file in the specified format

Types

type AttestationResult

type AttestationResult struct {
	Type             string   `json:"type"`
	Subject          *Subject `json:"subject,omitempty"`
	Verified         bool     `json:"verified"`
	SignatureValid   bool     `json:"signatureValid"`
	CertificateValid bool     `json:"certificateValid"`
	TLogVerified     bool     `json:"tlogVerified"`
	Error            string   `json:"error,omitempty"`
	Warnings         []string `json:"warnings,omitempty"`
}

result of verifying a single attestation

type CertificateIdentity

type CertificateIdentity struct {
	SubjectAlternativeName string `json:"subjectAlternativeName"`
	Issuer                 string `json:"issuer"`
}

certificate identity information

type OfflineVerifier

type OfflineVerifier struct {
	// contains filtered or unexported fields
}

offline attestation verification

func NewOfflineVerifier

func NewOfflineVerifier(trustedRootPath string, options VerifyOptions) (*OfflineVerifier, error)

offline verifier with trusted root

func (*OfflineVerifier) Bundles

func (ov *OfflineVerifier) Bundles() []*bundle.Bundle

returns the loaded bundles (avoids reloading from file)

func (*OfflineVerifier) LoadBundlesFromFile

func (ov *OfflineVerifier) LoadBundlesFromFile(bundlePath string) error

loads bundles from a file

func (*OfflineVerifier) VerifyArtifact

func (ov *OfflineVerifier) VerifyArtifact(artifactPath string) (*VerificationResult, error)

verifies an artifact file or directory against loaded bundles

func (*OfflineVerifier) VerifyArtifactDigest

func (ov *OfflineVerifier) VerifyArtifactDigest(digest string) (*VerificationResult, error)

verifies an artifact by its digest (useful for container images)

type Subject

type Subject struct {
	Name   string            `json:"name"`
	Digest map[string]string `json:"digest"`
}

attestation subject

type VerificationResult

type VerificationResult struct {
	Verified            bool                `json:"verified"`
	Attestations        []AttestationResult `json:"attestations"`
	CertificateIdentity interface{}         `json:"certificateIdentity,omitempty"`
	PolicyCompliance    map[string]bool     `json:"policyCompliance,omitempty"`
	Errors              []string            `json:"errors,omitempty"`
	Warnings            []string            `json:"warnings,omitempty"`
}

result of offline verification

type VerifyOptions

type VerifyOptions struct {
	CertIdentity       string   // expected certificate identity (workflow URL)
	CertOIDCIssuer     string   // expected OIDC issuer
	SkipTLogVerify     bool     // force-skip transparency-log verification even when a bundle carries an entry (programmatic only; no CLI flag)
	Quiet              bool     // suppress output messages
	SourceRef          string   // expected source repository ref (e.g., refs/heads/main)
	TrustedRootSource  string   // trusted root source: github, public, or auto
	AcceptedIdentities []string // resolved signer allowlist (union of --cert-identity and the list); each attestation must match at least one (OR semantics)
}

options for offline verification

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL