GO-2024-3252: gitsign may use incorrect Rekor entries during verification in github.com/sigstore/gitsign

git

package

v0.3.0 Latest Latest Go to latest Published: Aug 25, 2022 License: Apache-2.0 Imports: 12 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sigstore/gitsign

Links

Open Source Insights

Documentation ¶

Index ¶

func ObjectHash(data, sig []byte) (string, error)
func VerifySignature(data, sig []byte, detached bool, rootCerts, intermediates *x509.CertPool) (*x509.Certificate, error)
type Claim
- func NewClaim(c ClaimCondition, ok bool) Claim
type ClaimCondition
type VerificationSummary
- func Verify(ctx context.Context, rekor rekor.Verifier, data, sig []byte, detached bool) (*VerificationSummary, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ObjectHash ¶ added in v0.3.0

func ObjectHash(data, sig []byte) (string, error)

ObjectHash is a string representation of an encoded Git object

func VerifySignature ¶

func VerifySignature(data, sig []byte, detached bool, rootCerts, intermediates *x509.CertPool) (*x509.Certificate, error)

VerifySignature verifies for a given Git data + signature pair.

Data should be the Git data that was signed (i.e. everything in the commit besides the signature). Note: passing in the commit object itself will not work.

Signatures should be CMS/PKCS7 formatted.

Types ¶

type Claim ¶ added in v0.3.0

type Claim struct {
	Key   ClaimCondition
	Value bool
}

Claim is a key value pair representing the status of a given ClaimCondition.

func NewClaim ¶ added in v0.3.0

func NewClaim(c ClaimCondition, ok bool) Claim

type ClaimCondition ¶ added in v0.3.0

type ClaimCondition string

const (
	ClaimValidatedSignature  ClaimCondition = "Validated Git signature"
	ClaimValidatedRekorEntry ClaimCondition = "Validated Rekor entry"
)

type VerificationSummary ¶ added in v0.3.0

type VerificationSummary struct {
	// Certificate used to sign the commit.
	Cert *x509.Certificate
	// Rekor log entry of the commit.
	LogEntry *models.LogEntryAnon
	// List of claims about what succeeded / failed during validation.
	// This can be used to get details on what succeeded / failed during
	// validation. This is not an exhaustive list - claims may be missing
	// if validation ended early.
	Claims []Claim
}

VerificationSummary holds artifacts of the gitsign verification of a Git commit or tag.

func Verify ¶ added in v0.3.0

func Verify(ctx context.Context, rekor rekor.Verifier, data, sig []byte, detached bool) (*VerificationSummary, error)

Verify takes a context, rekor verifier client, Git object data (everything but the signature), and a Git signature. A VerificationSummary is returned with the signing certificate & Rekor transparency log index of the Git object, if found, and whether each is valid for the given Git data.

Source Files ¶

View all Source files

verify.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL