notation

package module
v1.0.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 7, 2022 License: Apache-2.0 Imports: 13 Imported by: 21

README

Notation

Build Status codecov Go Reference

A collection of libraries for supporting Notation sign, verify, push, pull of oci artifacts. Based on Notary V2 standard.

Table of Contents

Core Documents

Code of Conduct

This project has adopted the CNCF Code of Conduct. See CODE_OF_CONDUCT.md for further details.

License

This project is covered under the Apache 2.0 license. You can read the license here.

Documentation

Overview

Package notation provides signer and verifier for notation Sign and Verification.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Sign 

func Sign(ctx context.Context, signer Signer, repo registry.Repository, opts SignOptions) (ocispec.Descriptor, error)

Sign signs the artifact in the remote registry and push the signature to the remote. The descriptor of the sign content is returned upon sucessful signing.

Types

type ErrorNoApplicableTrustPolicy 

type ErrorNoApplicableTrustPolicy struct {
	Msg string
}

ErrorNoApplicableTrustPolicy is used when there is no trust policy that applies to the given artifact

func (ErrorNoApplicableTrustPolicy) Error 

func (e ErrorNoApplicableTrustPolicy) Error() string

type ErrorSignatureRetrievalFailed 

type ErrorSignatureRetrievalFailed struct {
	Msg string
}

ErrorSignatureRetrievalFailed is used when notation is unable to retrieve the digital signature/s for the given artifact

func (ErrorSignatureRetrievalFailed) Error 

func (e ErrorSignatureRetrievalFailed) Error() string

type ErrorVerificationFailed 

type ErrorVerificationFailed struct {
	Msg string
}

ErrorVerificationFailed is used when it is determined that the digital signature/s is not valid for the given artifact

func (ErrorVerificationFailed) Error 

func (e ErrorVerificationFailed) Error() string

type ErrorVerificationInconclusive 

type ErrorVerificationInconclusive struct {
	Msg string
}

ErrorVerificationInconclusive is used when signature verification fails due to a runtime error (e.g. a network error)

func (ErrorVerificationInconclusive) Error 

func (e ErrorVerificationInconclusive) Error() string

type RemoteVerifyOptions 

type RemoteVerifyOptions struct {
	// ArtifactReference is the reference of the artifact that is been
	// verified against to.
	ArtifactReference string

	// PluginConfig is a map of plugin configs.
	PluginConfig map[string]string

	// MaxSignatureAttempts is the maximum number of signature envelopes that
	// will be processed for verification. If set to less than or equals
	// to zero, an error will be returned.
	MaxSignatureAttempts int
}

RemoteVerifyOptions contains parameters for notation.Verify.

type SignOptions 

type SignOptions struct {
	// ArtifactReference sets the reference of the artifact that needs to be signed.
	ArtifactReference string

	// SignatureMediaType is the envelope type of the signature.
	// Currently both `application/jose+json` and `application/cose` are
	// supported.
	SignatureMediaType string

	// ExpiryDuration identifies the expiry duration of the resulted signature. Zero value
	// represents no expiry duration.
	ExpiryDuration time.Duration

	// PluginConfig sets or overrides the plugin configuration.
	PluginConfig map[string]string

	// SigningAgent sets the signing agent name
	SigningAgent string
}

SignOptions contains parameters for Signer.Sign.

type Signer 

type Signer interface {
	// Sign signs the artifact described by its descriptor,
	// and returns the signature and SignerInfo.
	Sign(ctx context.Context, desc ocispec.Descriptor, opts SignOptions) ([]byte, *signature.SignerInfo, error)
}

Signer is a generic interface for signing an artifact. The interface allows signing with local or remote keys, and packing in various signature formats.

type ValidationResult 

type ValidationResult struct {
	// Type of verification that is performed
	Type trustpolicy.ValidationType

	// Action is the intended action for the given verification type as defined
	// in the trust policy
	Action trustpolicy.ValidationAction

	// Error is set if there are any errors during the verification process
	Error error
}

ValidationResult encapsulates the verification result (passed or failed) for a verification type, including the desired verification action as specified in the trust policy

type VerificationOutcome 

type VerificationOutcome struct {
	// RawSignature is the signature envelope blob
	RawSignature []byte

	// EnvelopeContent contains the details of the digital signature and
	// associated metadata
	EnvelopeContent *signature.EnvelopeContent

	// VerificationLevel describes what verification level was used for
	// performing signature verification
	VerificationLevel *trustpolicy.VerificationLevel

	// VerificationResults contains the verifications performed on the signature
	// and their results
	VerificationResults []*ValidationResult

	// Error that caused the verification to fail (if it fails)
	Error error
}

VerificationOutcome encapsulates a signature blob's descriptor, its content, the verification level and results for each verification type that was performed.

func Verify 

func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, remoteOpts RemoteVerifyOptions) (ocispec.Descriptor, []*VerificationOutcome, error)

Verify performs signature verification on each of the notation supported verification types (like integrity, authenticity, etc.) and return the successful signature verification outcomes. For more details on signature verification, see https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#signature-verification

type Verifier 

type Verifier interface {
	// Verify verifies the signature blob and returns the outcome upon
	// successful verification.
	// If nil signature is present and the verification level is not 'skip',
	// an error will be returned.
	Verify(ctx context.Context, desc ocispec.Descriptor, signature []byte, opts VerifyOptions) (*VerificationOutcome, error)
}

Verifier is a generic interface for verifying an artifact.

type VerifyOptions 

type VerifyOptions struct {
	// ArtifactReference is the reference of the artifact that is been
	// verified against to.
	ArtifactReference string

	// SignatureMediaType is the envelope type of the signature.
	// Currently both `application/jose+json` and `application/cose` are
	// supported.
	SignatureMediaType string

	// PluginConfig is a map of plugin configs.
	PluginConfig map[string]string
}

VerifyOptions contains parameters for Verifier.Verify.

Source Files

View all Source files

Directories

Path Synopsis
Package config provides the ability to load and save config.json and signingkeys.json.
 Package config provides the ability to load and save config.json and signingkeys.json.
package dir implements Notation directory structure.
 package dir implements Notation directory structure.
internal
container
envelope
file
mock
mock/mockfs
pkix
slices
trustpolicy
Package log provides logging functionality to notation.
 Package log provides logging functionality to notation.
Package plugin provides the toolings to use the notation plugin.
 Package plugin provides the toolings to use the notation plugin.
proto
Package proto defines the protocol layer for communication between notation and notation external plugin.
 Package proto defines the protocol layer for communication between notation and notation external plugin.
Package registry provides access to signatures in a registry
 Package registry provides access to signatures in a registry
Package signer provides notation signing functionality.
 Package signer provides notation signing functionality.
Package Verifier provides an implementation of notation.Verifier interface
 Package Verifier provides an implementation of notation.Verifier interface
trustpolicy
Package trustpolicy provides functionalities for trust policy document and trust policy statements.
 Package trustpolicy provides functionalities for trust policy document and trust policy statements.
truststore
Package truststore reads certificates in a trust store
 Package truststore reads certificates in a trust store

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.