Affected by GO-2023-2332 and 1 other vulnerabilities

GO-2023-2332: Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. in github.com/sigstore/gitsign

GO-2024-3252: gitsign may use incorrect Rekor entries during verification in github.com/sigstore/gitsign

rekor

package

v0.7.1 Latest Latest Go to latest Published: May 22, 2023 License: Apache-2.0 Imports: 26 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sigstore/gitsign

Links

Open Source Insights

Documentation ¶

Index ¶

type Client
- func New(url string, opts ...rekor.Option) (*Client, error)
type Verifier
type Writer

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Client ¶

type Client struct {
	*client.Rekor
	// contains filtered or unexported fields
}

Client implements a basic rekor implementation for writing and verifying Rekor data.

func New ¶

func New(url string, opts ...rekor.Option) (*Client, error)

func (*Client) PublicKeys ¶ added in v0.6.0

func (c *Client) PublicKeys() *cosign.TrustedTransparencyLogPubKeys

func (*Client) Verify ¶

func (c *Client) Verify(ctx context.Context, commitSHA string, cert *x509.Certificate) (*models.LogEntryAnon, error)

Verify verifies a commit using online verification.

This is done by: 1. Searching Rekor for an entry matching the commit SHA + cert. 2. Use the same cert to verify the commit content.

Note: While not truly deprecated, using offline verification is generally preferred. This function relies on non-GA behavior of Rekor, and remains for backwards compatibility with older signatures.

func (*Client) VerifyInclusion ¶ added in v0.7.1

func (c *Client) VerifyInclusion(ctx context.Context, sig []byte, cert *x509.Certificate) (*models.LogEntryAnon, error)

VerifyInclusion verifies a signature's inclusion in Rekor using offline verification. NOTE: This does **not** verify the correctness of the signature against the content. Prefer using [git.Verify] instead for complete verification.

func (*Client) Write deprecated

func (c *Client) Write(ctx context.Context, commitSHA string, sig []byte, cert *x509.Certificate) (*models.LogEntryAnon, error)

Deprecated: Use [WriteMessage] instead.

func (*Client) WriteMessage ¶ added in v0.7.0

func (c *Client) WriteMessage(ctx context.Context, message, signature []byte, cert *x509.Certificate) (*models.LogEntryAnon, error)

type Verifier ¶

type Verifier interface {
	Verify(ctx context.Context, commitSHA string, cert *x509.Certificate) (*models.LogEntryAnon, error)
	VerifyInclusion(ctx context.Context, sig []byte, cert *x509.Certificate) (*models.LogEntryAnon, error)
}

Verifier represents a mechanism to get and verify Rekor entries for the given Git data.

type Writer ¶

type Writer interface {
	Write(ctx context.Context, commitSHA string, sig []byte, cert *x509.Certificate) (*models.LogEntryAnon, error)
	WriteMessage(ctx context.Context, message, signature []byte, cert *x509.Certificate) (*models.LogEntryAnon, error)
}

Writer represents a mechanism to write content to Rekor.

Source Files ¶

View all Source files

rekor.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL