Documentation
¶
Index ¶
- Constants
- Variables
- func CreateUnsignedSourceVsa(repoUri, ref, commit string, verifiedLevels slsa.SourceVerifiedLevels, ...) (string, error)
- func Debugf(format string, args ...any)
- func DoesSubjectIncludeCommit(statement *spb.Statement, commit string) bool
- func GetSourceProvPred(statement *spb.Statement) (*provenance.SourceProvenancePred, error)
- func GetSourceRefsForCommit(vsaStatement *spb.Statement, commit string) ([]string, error)
- func GetSubjectForCommit(statement *spb.Statement, commit string) *spb.ResourceDescriptor
- func GetTagProvPred(statement *spb.Statement) (*provenance.TagProvenancePred, error)
- func GetVsa(ctx context.Context, ghc *ghcontrol.GitHubConnection, verifier Verifier, ...) (*spb.Statement, *vpb.VerificationSummary, error)
- func Sign(data string) (string, error)
- func StatementToString(stmt *spb.Statement) string
- type BndVerifier
- type BundleReader
- type ProvenanceAttestor
- func (pa ProvenanceAttestor) CreateSourceProvenance(ctx context.Context, prevAttPath, commit, prevCommit, ref string) (*spb.Statement, error)
- func (pa ProvenanceAttestor) CreateTagProvenance(ctx context.Context, commit, ref, actor string) (*spb.Statement, error)
- func (pa ProvenanceAttestor) GetProvenance(ctx context.Context, commit, ref string) (*spb.Statement, *provenance.SourceProvenancePred, error)
- type StatementMatcher
- type VerificationOptions
- type Verifier
Constants ¶
View Source
const ( // ExpectedIssuer is the OIDC issuer found in the sigstore bundles ExpectedIssuer = "https://token.actions.githubusercontent.com" // Expected SAN is the expected identity of the workflow signing the // provenance and VSAs. ExpectedSan = "https://github.com/slsa-framework/source-actions/.github/workflows/compute_slsa_source.yml@refs/heads/main" // OldExpectedSan is the old singer identity before splitting out the actions to their own repo // this constant is part of a compatibility hack that should be reverted once the latests attestations // of the repos are signed with the new identity. // // See https://github.com/slsa-framework/source-tool/issues/255 OldExpectedSan = "https://github.com/slsa-framework/slsa-source-poc/.github/workflows/compute_slsa_source.yml@refs/heads/main" )
View Source
const ( VsaPredicateType = "https://slsa.dev/verification_summary/v1" VsaVerifierId = "https://github.com/slsa-framework/source-actions" )
Variables ¶
View Source
var DefaultVerifierOptions = VerificationOptions{ ExpectedIssuer: ExpectedIssuer, ExpectedSan: ExpectedSan, }
TODO: Update ExpectedSan to support regex so we can get the branches/tags we really think folks should be using (they won't all run from main).
Functions ¶
func CreateUnsignedSourceVsa ¶
func GetSourceProvPred ¶
func GetSourceProvPred(statement *spb.Statement) (*provenance.SourceProvenancePred, error)
func GetSourceRefsForCommit ¶
func GetSubjectForCommit ¶
func GetSubjectForCommit(statement *spb.Statement, commit string) *spb.ResourceDescriptor
Returns the _first_ subject that includes the commit. TODO: add support for multiple subjects...
func GetTagProvPred ¶
func GetTagProvPred(statement *spb.Statement) (*provenance.TagProvenancePred, error)
func GetVsa ¶
func GetVsa(ctx context.Context, ghc *ghcontrol.GitHubConnection, verifier Verifier, commit, ref string) (*spb.Statement, *vpb.VerificationSummary, error)
Gets a VSA for the commit from git notes.
func StatementToString ¶
Just make this easy for logging...
Types ¶
type BndVerifier ¶
type BndVerifier struct {
Options VerificationOptions
}
func NewBndVerifier ¶
func NewBndVerifier(options VerificationOptions) *BndVerifier
func (*BndVerifier) Verify ¶
func (bv *BndVerifier) Verify(data string) (*verify.VerificationResult, error)
type BundleReader ¶
type BundleReader struct {
// contains filtered or unexported fields
}
func NewBundleReader ¶
func NewBundleReader(reader *bufio.Reader, verifier Verifier) *BundleReader
func (*BundleReader) ReadStatement ¶
func (br *BundleReader) ReadStatement(matcher StatementMatcher) (*spb.Statement, error)
Reads all the statements that: 1. Have a valid signature 2. Have the specified predicate type. 3. Have a subject that matches the specified git commit.
type ProvenanceAttestor ¶
type ProvenanceAttestor struct {
// contains filtered or unexported fields
}
func NewProvenanceAttestor ¶
func NewProvenanceAttestor(gh_connection *ghcontrol.GitHubConnection, verifier Verifier) *ProvenanceAttestor
func (ProvenanceAttestor) CreateSourceProvenance ¶
func (ProvenanceAttestor) CreateTagProvenance ¶
func (ProvenanceAttestor) GetProvenance ¶
func (pa ProvenanceAttestor) GetProvenance(ctx context.Context, commit, ref string) (*spb.Statement, *provenance.SourceProvenancePred, error)
Gets provenance for the commit from git notes.
type StatementMatcher ¶
func MatchesTypeAndCommit ¶
func MatchesTypeAndCommit(predicateType, commit string) StatementMatcher
func MatchesTypeCommitAndRef ¶
func MatchesTypeCommitAndRef(predicateType, commit, targetRef string) StatementMatcher
type VerificationOptions ¶
type Verifier ¶
type Verifier interface {
Verify(data string) (*verify.VerificationResult, error)
}
func GetDefaultVerifier ¶
func GetDefaultVerifier() Verifier
Source Files
Click to show internal directories.
Click to hide internal directories.