verifier

package

v0.0.9 Latest Latest Go to latest Published: Feb 24, 2026 License: Apache-2.0 Imports: 29 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/stacklok/toolhive-core

Links

Open Source Insights

Documentation ¶

Overview ¶

Package verifier provides a client for verifying artifacts using sigstore

Index ¶

Constants
Variables
type Result
type Sigstore
- func New(provenance *registry.Provenance, keychain authn.Keychain) (*Sigstore, error)

Constants ¶

View Source

const (
	// TrustedRootSigstoreGitHub is the GitHub trusted root repository for sigstore (used for private repos, Enterprise)
	TrustedRootSigstoreGitHub = "tuf-repo.github.com"
	// TrustedRootSigstorePublicGoodInstance is the public trusted root repository for sigstore
	TrustedRootSigstorePublicGoodInstance = "tuf-repo-cdn.sigstore.dev"
)

Variables ¶

View Source

var (
	// ErrProvenanceNotFoundOrIncomplete is returned when there's no provenance info (missing .sig or attestation) or
	// has incomplete data
	ErrProvenanceNotFoundOrIncomplete = errors.New("provenance not found or incomplete")

	// ErrProvenanceServerInformationNotSet is returned when the provenance information for a server is not set
	ErrProvenanceServerInformationNotSet = errors.New("provenance server information not set")

	// ErrImageNotSigned is returned when no signatures or attestations are found for the image
	ErrImageNotSigned = errors.New("image is not signed")

	// ErrProvenanceMismatch is returned when the image is signed but no bundle matches the expected provenance
	ErrProvenanceMismatch = errors.New("image provenance does not match")

	// MaxAttestationsBytesLimit is the maximum number of bytes we're willing to read from the attestation endpoint
	// We'll limit this to 10mb for now
	MaxAttestationsBytesLimit int64 = 10 * 1024 * 1024
)

Functions ¶

This section is empty.

Types ¶

type Result ¶

type Result struct {
	IsSigned   bool `json:"is_signed"`
	IsVerified bool `json:"is_verified"`
	verify.VerificationResult
}

Result is the result of the verification

type Sigstore ¶

type Sigstore struct {
	// contains filtered or unexported fields
}

Sigstore is the sigstore verifier

func New ¶

func New(provenance *registry.Provenance, keychain authn.Keychain) (*Sigstore, error)

New creates a new Sigstore verifier

func (*Sigstore) GetVerificationResults ¶

func (s *Sigstore) GetVerificationResults(
	imageRef string,
) ([]*verify.VerificationResult, error)

GetVerificationResults returns the verification results for the given image reference

func (*Sigstore) VerifyServer ¶

func (s *Sigstore) VerifyServer(imageRef string, provenance *registry.Provenance) error

VerifyServer verifies the server information for the given image reference

func (*Sigstore) WithKeychain ¶

func (s *Sigstore) WithKeychain(keychain authn.Keychain) *Sigstore

WithKeychain sets the keychain for authentication

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL