signing

package
v0.0.0-...-e601d7c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 20, 2026 License: MIT Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateKeyPair 

func GenerateKeyPair(ctx context.Context, outputDir string, password string) (privateKeyPath, publicKeyPath string, err error)

GenerateKeyPair generates a new cosign key pair

func GetRekorEntryFromOutput 

func GetRekorEntryFromOutput(output string) string

GetRekorEntryFromOutput parses cosign output to extract Rekor entry information

func ValidateOIDCToken 

func ValidateOIDCToken(token string) error

ValidateOIDCToken performs basic format validation on the OIDC token. This checks JWT structure (3 dot-separated segments) only — it does NOT verify the signature, issuer, audience, or expiry. Full validation is performed by Fulcio when the token is exchanged for a signing certificate.

Types

type CertificateInfo 

type CertificateInfo struct {
	Issuer   string
	Subject  string
	Identity string
}

CertificateInfo contains information about the signing certificate

type Config 

type Config struct {
	Enabled    bool
	Required   bool
	Keyless    bool
	PrivateKey string
	PublicKey  string
	// Password is the cosign private key passphrase.
	// json:"-" prevents accidental serialization if this struct is ever marshaled
	// as part of a larger config object (e.g., debug logging, cache key hashing).
	// It is always populated programmatically from CLI flags or env vars, never loaded from JSON.
	Password string `json:"-" yaml:"-"`
	Timeout  string

	// OIDCToken is the OIDC identity token for keyless signing/attestation.
	// Set at runtime from CI environment (ACTIONS_ID_TOKEN_REQUEST_*).
	// Used by SBOM attacher and provenance attacher for cosign attestations.
	OIDCToken string `json:"-" yaml:"-"`

	// Verification settings
	OIDCIssuer     string
	IdentityRegexp string
}

Config contains configuration for image signing operations

func (*Config) CreateSigner 

func (c *Config) CreateSigner(oidcToken string) (Signer, error)

CreateSigner creates a signer based on the configuration. The oidcToken parameter takes precedence; falls back to c.OIDCToken if empty.

func (*Config) CreateVerifier 

func (c *Config) CreateVerifier() (*Verifier, error)

CreateVerifier creates a verifier based on the configuration

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the configuration

type KeyBasedSigner 

type KeyBasedSigner struct {
	PrivateKey string // Path to private key file or key content
	Password   string // Optional password for encrypted keys
	Timeout    time.Duration
}

KeyBasedSigner implements key-based signing using private keys

func NewKeyBasedSigner 

func NewKeyBasedSigner(privateKey, password string, timeout time.Duration) *KeyBasedSigner

NewKeyBasedSigner creates a new key-based signer

func (*KeyBasedSigner) Sign 

func (s *KeyBasedSigner) Sign(ctx context.Context, imageRef string) (*SignResult, error)

Sign signs a container image using a private key

type KeylessSigner 

type KeylessSigner struct {
	OIDCToken string
	Timeout   time.Duration
}

KeylessSigner implements keyless signing using OIDC tokens

func NewKeylessSigner 

func NewKeylessSigner(oidcToken string, timeout time.Duration) *KeylessSigner

NewKeylessSigner creates a new keyless signer

func (*KeylessSigner) Sign 

func (s *KeylessSigner) Sign(ctx context.Context, imageRef string) (*SignResult, error)

Sign signs a container image using keyless OIDC signing

type PolicyChecker 

type PolicyChecker interface {
	Check(result *VerifyResult) error
}

PolicyChecker is an interface for custom verification policies

type SignResult 

type SignResult struct {
	ImageDigest string
	Signature   string
	Bundle      string
	RekorEntry  string // URL to Rekor transparency log entry
	SignedAt    string
}

SignResult contains the result of a signing operation

func SignImage 

func SignImage(ctx context.Context, config *Config, imageRef string, oidcToken string) (*SignResult, error)

SignImage is a convenience function to sign an image with the given configuration

type Signer 

type Signer interface {
	// Sign signs a container image and returns the result
	Sign(ctx context.Context, imageRef string) (*SignResult, error)
}

Signer is the interface for signing container images

type SignerConfig 

type SignerConfig struct {
	// Required indicates whether signing is required (fail-closed) or optional (fail-open)
	Required bool
	// Timeout for signing operation
	Timeout string
}

SignerConfig contains common configuration for signers

type Verifier 

type Verifier struct {
	// For keyless verification
	OIDCIssuer     string
	IdentityRegexp string

	// For key-based verification
	PublicKey string // Path to public key file

	Timeout time.Duration
}

Verifier handles signature verification for container images

func NewKeyBasedVerifier 

func NewKeyBasedVerifier(publicKey string, timeout time.Duration) *Verifier

NewKeyBasedVerifier creates a verifier for key-based signatures

func NewKeylessVerifier 

func NewKeylessVerifier(oidcIssuer, identityRegexp string, timeout time.Duration) *Verifier

NewKeylessVerifier creates a verifier for keyless signatures

func (*Verifier) Verify 

func (v *Verifier) Verify(ctx context.Context, imageRef string) (*VerifyResult, error)

Verify verifies the signature of a container image

func (*Verifier) VerifyWithPolicy 

func (v *Verifier) VerifyWithPolicy(ctx context.Context, imageRef string, policy PolicyChecker) (*VerifyResult, error)

VerifyWithPolicy verifies a signature and applies additional policy checks

type VerifyResult 

type VerifyResult struct {
	Verified        bool
	ImageDigest     string
	CertificateInfo *CertificateInfo
	VerifiedAt      string
}

VerifyResult contains the result of a signature verification

func VerifyImage 

func VerifyImage(ctx context.Context, config *Config, imageRef string) (*VerifyResult, error)

VerifyImage is a convenience function to verify an image with the given configuration

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.