root

package
v0.38.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 27, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source
const (
	GitHubActionsIssuer = "https://token.actions.githubusercontent.com"
	GoogleOIDCIssuer    = "https://accounts.google.com"
	GitHubOAuthIssuer   = "https://github.com/login/oauth"
	GitLabIssuer        = "https://gitlab.com"
)

known OIDC issuers for auto-detection

Variables

View Source
var GithubTrustedRoot []byte
View Source
var PublicSigstoreTrustedRoot []byte

static snapshot of the public-good Sigstore trusted root. by default this embedded snapshot is used (hermetic, offline-capable). an opt-in live refresh (--refresh-trusted-root) replaces it via RefreshPublicTrustedRoot before verification; the embedded snapshot is re-vendored periodically via `task vendor-public-trusted-root` so it can't silently rot.

Functions

func FetchTrustedRoot

func FetchTrustedRoot() ([]byte, error)

fetches gh trusted root

func GetGitHubTrustedRoot

func GetGitHubTrustedRoot() []byte

returns embedded github trusted root

func GetPublicTrustedRoot

func GetPublicTrustedRoot() []byte

returns the public sigstore trusted root: the live-refreshed root if RefreshPublicTrustedRoot succeeded this run, otherwise the embedded snapshot.

func GetTrustedRoot

func GetTrustedRoot() ([]byte, error)

returns the GitHub trusted root with fallback mechanism. first attempts to fetch the latest root dynamically, and falls back to the embedded root if the dynamic fetch fails. note this GitHub-root path is intentionally fail-OPEN (embedded fallback) because the GitHub root is stable; the public-good root rotates, so its live refresh (RefreshPublicTrustedRoot) is fail-CLOSED instead.

func RefreshPublicTrustedRoot added in v0.31.0

func RefreshPublicTrustedRoot() error

RefreshPublicTrustedRoot fetches the public-good Sigstore trusted root live from the Sigstore TUF repo and, on success, makes GetPublicTrustedRoot serve it for the rest of the process. it is fail-closed: any fetch or parse error is returned and nothing is cached, so the caller must abort rather than fall back to the embedded snapshot. only invoke this when the operator opts in via --refresh-trusted-root; otherwise GetPublicTrustedRoot keeps serving the embedded snapshot (unchanged hermetic behavior).

Types

type TrustedRootSource

type TrustedRootSource string

trusted root source selection

const (
	TrustedRootSourceGitHub TrustedRootSource = "github"
	TrustedRootSourcePublic TrustedRootSource = "public"
	TrustedRootSourceAuto   TrustedRootSource = "auto"
)

func DetectTrustedRootFromCert

func DetectTrustedRootFromCert(certPEM []byte) (TrustedRootSource, error)

detects trusted root from certificate's OIDC issuer

func SelectTrustedRoot

func SelectTrustedRoot(source TrustedRootSource, certPEM []byte) ([]byte, TrustedRootSource, error)

selects trusted root based on source and optional certificate

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL