package root

import "github.com/sigstore/sigstore-go/pkg/root"

Index

Constants 

const SigningConfigMediaType02 = "application/vnd.dev.sigstore.signingconfig.v0.2+json"
const TrustedRootMediaType01 = "application/vnd.dev.sigstore.trustedroot+json;version=0.1"

Functions

func NewSigningConfigProtobuf 

func NewSigningConfigProtobuf(scJSON []byte) (*prototrustroot.SigningConfig, error)

NewSigningConfigProtobuf returns a Sigstore signing configuration as a protobuf.

func NewTrustedRootProtobuf 

func NewTrustedRootProtobuf(rootJSON []byte) (*prototrustroot.TrustedRoot, error)

NewTrustedRootProtobuf returns the Sigstore trusted root as a protobuf.

func ParseTransparencyLogs 

func ParseTransparencyLogs(tlogs []*prototrustroot.TransparencyLogInstance) (transparencyLogs map[string]*TransparencyLog, err error)

Types

type BaseTrustedMaterial 

type BaseTrustedMaterial struct{}

func (*BaseTrustedMaterial) CTLogs 

func (b *BaseTrustedMaterial) CTLogs() map[string]*TransparencyLog

func (*BaseTrustedMaterial) FulcioCertificateAuthorities 

func (b *BaseTrustedMaterial) FulcioCertificateAuthorities() []CertificateAuthority

func (*BaseTrustedMaterial) PublicKeyVerifier 

func (b *BaseTrustedMaterial) PublicKeyVerifier(_ string) (TimeConstrainedVerifier, error)

func (*BaseTrustedMaterial) RekorLogs 

func (b *BaseTrustedMaterial) RekorLogs() map[string]*TransparencyLog

func (*BaseTrustedMaterial) TimestampingAuthorities 

func (b *BaseTrustedMaterial) TimestampingAuthorities() []TimestampingAuthority

type CertificateAuthority 

type CertificateAuthority interface {
	Verify(cert *x509.Certificate, observerTimestamp time.Time) ([][]*x509.Certificate, error)
}

func ParseCertificateAuthorities 

func ParseCertificateAuthorities(certAuthorities []*prototrustroot.CertificateAuthority) (certificateAuthorities []CertificateAuthority, err error)

type ExpiringKey 

type ExpiringKey struct {
	signature.Verifier
	// contains filtered or unexported fields
}

ExpiringKey is a TimeConstrainedVerifier with a static validity period.

func NewExpiringKey 

func NewExpiringKey(verifier signature.Verifier, validityPeriodStart, validityPeriodEnd time.Time) *ExpiringKey

NewExpiringKey returns a new ExpiringKey with the given validity period

func (*ExpiringKey) ValidAtTime 

func (k *ExpiringKey) ValidAtTime(t time.Time) bool

ValidAtTime returns true if the key is valid at the given time. If the validity period start time is not set, the key is considered valid for all times before the end time. Likewise, if the validity period end time is not set, the key is considered valid for all times after the start time.

type FulcioCertificateAuthority 

type FulcioCertificateAuthority struct {
	Root                *x509.Certificate
	Intermediates       []*x509.Certificate
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
	URI                 string
}

func ParseCertificateAuthority 

func ParseCertificateAuthority(certAuthority *prototrustroot.CertificateAuthority) (*FulcioCertificateAuthority, error)

func (*FulcioCertificateAuthority) Verify 

func (ca *FulcioCertificateAuthority) Verify(cert *x509.Certificate, observerTimestamp time.Time) ([][]*x509.Certificate, error)

type LiveTrustedRoot 

type LiveTrustedRoot struct {
	*TrustedRoot
	// contains filtered or unexported fields
}

LiveTrustedRoot is a wrapper around TrustedRoot that periodically refreshes the trusted root from TUF. This is needed for long-running processes to ensure that the trusted root does not expire.

func NewLiveTrustedRoot 

func NewLiveTrustedRoot(opts *tuf.Options) (*LiveTrustedRoot, error)

NewLiveTrustedRoot returns a LiveTrustedRoot that will periodically refresh the trusted root from TUF.

func NewLiveTrustedRootFromTarget 

func NewLiveTrustedRootFromTarget(opts *tuf.Options, target string) (*LiveTrustedRoot, error)

NewLiveTrustedRootFromTarget returns a LiveTrustedRoot that will periodically refresh the trusted root from TUF using the provided target.

func NewLiveTrustedRootFromTargetWithPeriod 

func NewLiveTrustedRootFromTargetWithPeriod(opts *tuf.Options, target string, rfPeriod time.Duration) (*LiveTrustedRoot, error)

NewLiveTrustedRootFromTargetWithPeriod returns a LiveTrustedRoot that performs a TUF refresh with the provided period, accesssing the provided target.

func (*LiveTrustedRoot) CTLogs 

func (l *LiveTrustedRoot) CTLogs() map[string]*TransparencyLog

func (*LiveTrustedRoot) FulcioCertificateAuthorities 

func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority

func (*LiveTrustedRoot) PublicKeyVerifier 

func (l *LiveTrustedRoot) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error)

func (*LiveTrustedRoot) RekorLogs 

func (l *LiveTrustedRoot) RekorLogs() map[string]*TransparencyLog

func (*LiveTrustedRoot) TimestampingAuthorities 

func (l *LiveTrustedRoot) TimestampingAuthorities() []TimestampingAuthority

type Service 

type Service struct {
	URL                 string
	MajorAPIVersion     uint32
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
	Operator            string
}

func NewService 

func NewService(s *prototrustroot.Service) Service

func SelectService 

func SelectService(services []Service, supportedAPIVersions []uint32, currentTime time.Time) (Service, error)

SelectService returns which service endpoint should be used based on supported API versions and current time. It will select the first service with the highest API version that matches the criteria. Services should be sorted from newest to oldest validity period start time, to minimize how far clients need to search to find a matching service.

func SelectServices 

func SelectServices(services []Service, config ServiceConfiguration, supportedAPIVersions []uint32, currentTime time.Time) ([]Service, error)

SelectServices returns which service endpoints should be used based on supported API versions and current time. It will use the configuration's selector to pick a set of services. ALL will return all service endpoints, ANY will return a random endpoint, and EXACT will return a random selection of a specified number of endpoints. It will select services from the highest supported API versions and will not select services from different API versions. It will select distinct service operators, selecting at most one service per operator.

func (Service) ToServiceProtobuf 

func (s Service) ToServiceProtobuf() *prototrustroot.Service

func (Service) ValidAtTime 

func (s Service) ValidAtTime(t time.Time) bool

type ServiceConfiguration 

type ServiceConfiguration struct {
	Selector prototrustroot.ServiceSelector
	Count    uint32
}

func (ServiceConfiguration) ToConfigProtobuf 

func (sc ServiceConfiguration) ToConfigProtobuf() *prototrustroot.ServiceConfiguration

type SigningConfig 

type SigningConfig struct {
	// contains filtered or unexported fields
}

func FetchSigningConfig 

func FetchSigningConfig() (*SigningConfig, error)

FetchSigningConfig fetches the public-good Sigstore signing configuration from TUF.

func FetchSigningConfigWithOptions 

func FetchSigningConfigWithOptions(opts *tuf.Options) (*SigningConfig, error)

FetchSigningConfig fetches the public-good Sigstore signing configuration with the given options from TUF.

func GetSigningConfig 

func GetSigningConfig(c *tuf.Client) (*SigningConfig, error)

GetSigningConfig fetches the public-good Sigstore signing configuration target from TUF.

func NewSigningConfig 

func NewSigningConfig(mediaType string,
	fulcioCertificateAuthorities []Service,
	oidcProviders []Service,
	rekorLogs []Service,
	rekorLogsConfig ServiceConfiguration,
	timestampAuthorities []Service,
	timestampAuthoritiesConfig ServiceConfiguration) (*SigningConfig, error)

NewSigningConfig initializes a SigningConfig object from a mediaType string, Fulcio certificate authority URLs, OIDC provider URLs, Rekor transparency log URLs, timestamp authorities URLs, selection criteria for Rekor logs and TSAs.

func NewSigningConfigFromJSON 

func NewSigningConfigFromJSON(rootJSON []byte) (*SigningConfig, error)

NewSigningConfigFromJSON returns a Sigstore signing configuration from JSON.

func NewSigningConfigFromPath 

func NewSigningConfigFromPath(path string) (*SigningConfig, error)

NewSigningConfigFromPath returns a Sigstore signing configuration from a file.

func NewSigningConfigFromProtobuf 

func NewSigningConfigFromProtobuf(sc *prototrustroot.SigningConfig) (*SigningConfig, error)

NewSigningConfigFromProtobuf returns a Sigstore signing configuration.

func (*SigningConfig) AddFulcioCertificateAuthorityURLs 

func (sc *SigningConfig) AddFulcioCertificateAuthorityURLs(fulcioURLs ...Service) *SigningConfig

func (*SigningConfig) AddOIDCProviderURLs 

func (sc *SigningConfig) AddOIDCProviderURLs(oidcURLs ...Service) *SigningConfig

func (*SigningConfig) AddRekorLogURLs 

func (sc *SigningConfig) AddRekorLogURLs(logURLs ...Service) *SigningConfig

func (*SigningConfig) AddTimestampAuthorityURLs 

func (sc *SigningConfig) AddTimestampAuthorityURLs(tsaURLs ...Service) *SigningConfig

func (*SigningConfig) FulcioCertificateAuthorityURLs 

func (sc *SigningConfig) FulcioCertificateAuthorityURLs() []Service

func (SigningConfig) MarshalJSON 

func (sc SigningConfig) MarshalJSON() ([]byte, error)

func (*SigningConfig) OIDCProviderURLs 

func (sc *SigningConfig) OIDCProviderURLs() []Service

func (*SigningConfig) RekorLogURLs 

func (sc *SigningConfig) RekorLogURLs() []Service

func (*SigningConfig) RekorLogURLsConfig 

func (sc *SigningConfig) RekorLogURLsConfig() ServiceConfiguration

func (SigningConfig) String 

func (sc SigningConfig) String() string

func (*SigningConfig) TimestampAuthorityURLs 

func (sc *SigningConfig) TimestampAuthorityURLs() []Service

func (*SigningConfig) TimestampAuthorityURLsConfig 

func (sc *SigningConfig) TimestampAuthorityURLsConfig() ServiceConfiguration

func (*SigningConfig) WithFulcioCertificateAuthorityURLs 

func (sc *SigningConfig) WithFulcioCertificateAuthorityURLs(fulcioURLs ...Service) *SigningConfig

func (*SigningConfig) WithOIDCProviderURLs 

func (sc *SigningConfig) WithOIDCProviderURLs(oidcURLs ...Service) *SigningConfig

func (*SigningConfig) WithRekorLogURLs 

func (sc *SigningConfig) WithRekorLogURLs(logURLs ...Service) *SigningConfig

func (*SigningConfig) WithRekorTlogConfig 

func (sc *SigningConfig) WithRekorTlogConfig(selector prototrustroot.ServiceSelector, count uint32) *SigningConfig

func (*SigningConfig) WithTimestampAuthorityURLs 

func (sc *SigningConfig) WithTimestampAuthorityURLs(tsaURLs ...Service) *SigningConfig

func (*SigningConfig) WithTsaConfig 

func (sc *SigningConfig) WithTsaConfig(selector prototrustroot.ServiceSelector, count uint32) *SigningConfig

type SigstoreTimestampingAuthority 

type SigstoreTimestampingAuthority struct {
	Root                *x509.Certificate
	Intermediates       []*x509.Certificate
	Leaf                *x509.Certificate
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
	URI                 string
}

func (*SigstoreTimestampingAuthority) Verify 

func (tsa *SigstoreTimestampingAuthority) Verify(signedTimestamp []byte, signatureBytes []byte) (*Timestamp, error)

type TimeConstrainedVerifier 

type TimeConstrainedVerifier interface {
	ValidityPeriodChecker
	signature.Verifier
}

type Timestamp 

type Timestamp struct {
	Time time.Time
	URI  string
}

type TimestampingAuthority 

type TimestampingAuthority interface {
	Verify(signedTimestamp []byte, signatureBytes []byte) (*Timestamp, error)
}

func ParseTimestampingAuthorities 

func ParseTimestampingAuthorities(certAuthorities []*prototrustroot.CertificateAuthority) (timestampingAuthorities []TimestampingAuthority, err error)

func ParseTimestampingAuthority 

func ParseTimestampingAuthority(certAuthority *prototrustroot.CertificateAuthority) (TimestampingAuthority, error)

type TransparencyLog 

type TransparencyLog struct {
	BaseURL             string
	ID                  []byte
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
	// This is the hash algorithm used by the Merkle tree
	HashFunc  crypto.Hash
	PublicKey crypto.PublicKey
	// The hash algorithm used during signature creation
	SignatureHashFunc crypto.Hash
}

type TrustedMaterial 

type TrustedMaterial interface {
	TimestampingAuthorities() []TimestampingAuthority
	FulcioCertificateAuthorities() []CertificateAuthority
	RekorLogs() map[string]*TransparencyLog
	CTLogs() map[string]*TransparencyLog
	PublicKeyVerifier(string) (TimeConstrainedVerifier, error)
}

type TrustedMaterialCollection 

type TrustedMaterialCollection []TrustedMaterial

func (TrustedMaterialCollection) CTLogs 

func (tmc TrustedMaterialCollection) CTLogs() map[string]*TransparencyLog

func (TrustedMaterialCollection) FulcioCertificateAuthorities 

func (tmc TrustedMaterialCollection) FulcioCertificateAuthorities() []CertificateAuthority

func (TrustedMaterialCollection) PublicKeyVerifier 

func (tmc TrustedMaterialCollection) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error)

func (TrustedMaterialCollection) RekorLogs 

func (tmc TrustedMaterialCollection) RekorLogs() map[string]*TransparencyLog

func (TrustedMaterialCollection) TimestampingAuthorities 

func (tmc TrustedMaterialCollection) TimestampingAuthorities() []TimestampingAuthority

type TrustedPublicKeyMaterial 

type TrustedPublicKeyMaterial struct {
	BaseTrustedMaterial
	// contains filtered or unexported fields
}

func NewTrustedPublicKeyMaterial 

func NewTrustedPublicKeyMaterial(publicKeyVerifier func(string) (TimeConstrainedVerifier, error)) *TrustedPublicKeyMaterial

func NewTrustedPublicKeyMaterialFromMapping 

func NewTrustedPublicKeyMaterialFromMapping(trustedPublicKeys map[string]*ExpiringKey) *TrustedPublicKeyMaterial

NewTrustedPublicKeyMaterialFromMapping returns a TrustedPublicKeyMaterial from a map of key IDs to ExpiringKeys.

func (*TrustedPublicKeyMaterial) PublicKeyVerifier 

func (tr *TrustedPublicKeyMaterial) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error)

type TrustedRoot 

type TrustedRoot struct {
	BaseTrustedMaterial
	// contains filtered or unexported fields
}

func FetchTrustedRoot 

func FetchTrustedRoot() (*TrustedRoot, error)

FetchTrustedRoot fetches the Sigstore trusted root from TUF and returns it.

func FetchTrustedRootWithOptions 

func FetchTrustedRootWithOptions(opts *tuf.Options) (*TrustedRoot, error)

FetchTrustedRootWithOptions fetches the trusted root from TUF with the given options and returns it.

func GetTrustedRoot 

func GetTrustedRoot(c *tuf.Client) (*TrustedRoot, error)

GetTrustedRoot returns the trusted root

func NewTrustedRoot 

func NewTrustedRoot(mediaType string,
	certificateAuthorities []CertificateAuthority,
	certificateTransparencyLogs map[string]*TransparencyLog,
	timestampAuthorities []TimestampingAuthority,
	transparencyLogs map[string]*TransparencyLog) (*TrustedRoot, error)

NewTrustedRoot initializes a TrustedRoot object from a mediaType string, list of Fulcio certificate authorities, list of timestamp authorities and maps of ctlogs and rekor transparency log instances. mediaType must be TrustedRootMediaType01 ("application/vnd.dev.sigstore.trustedroot+json;version=0.1").

func NewTrustedRootFromJSON 

func NewTrustedRootFromJSON(rootJSON []byte) (*TrustedRoot, error)

NewTrustedRootFromJSON returns the Sigstore trusted root.

func NewTrustedRootFromPath 

func NewTrustedRootFromPath(path string) (*TrustedRoot, error)

func NewTrustedRootFromProtobuf 

func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) (trustedRoot *TrustedRoot, err error)

func (*TrustedRoot) CTLogs 

func (tr *TrustedRoot) CTLogs() map[string]*TransparencyLog

func (*TrustedRoot) FulcioCertificateAuthorities 

func (tr *TrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority

func (*TrustedRoot) MarshalJSON 

func (tr *TrustedRoot) MarshalJSON() ([]byte, error)

func (*TrustedRoot) RekorLogs 

func (tr *TrustedRoot) RekorLogs() map[string]*TransparencyLog

func (*TrustedRoot) TimestampingAuthorities 

func (tr *TrustedRoot) TimestampingAuthorities() []TimestampingAuthority

type ValidityPeriodChecker 

type ValidityPeriodChecker interface {
	ValidAtTime(time.Time) bool
}

Source Files

certificate_authority.go signing_config.go timestamping_authority.go trusted_material.go trusted_root.go trusted_root_create.go

Version
v1.1.1 (latest)
Published
Aug 5, 2025
Platform
linux/amd64
Imports
24 packages
Last checked
8 months ago

Tools for package owners.