attest/example_sign_test.go

/*
   Copyright 2024 Docker attest authors

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/
package attest_test

import (
	"context"

	"github.com/docker/attest"
	"github.com/docker/attest/attestation"
	"github.com/docker/attest/oci"
	"github.com/docker/attest/signerverifier"
	"github.com/docker/attest/tlog"
	v1 "github.com/google/go-containerregistry/pkg/v1"
	"github.com/google/go-containerregistry/pkg/v1/empty"
	"github.com/google/go-containerregistry/pkg/v1/mutate"
)

func ExampleSignStatements_remote() {
	// configure signerverifier
	// local signer (unsafe for production)
	signer, err := signerverifier.GenKeyPair()
	if err != nil {
		panic(err)
	}
	// example using AWS KMS signer
	// aws_arn := "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"
	// aws_region := "us-west-2"
	// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)

	// configure signing options

	// use rekor transparency log wit static rekor public key (see options to use dynamic rekor public key)
	rekor, err := tlog.NewRekorLog()
	if err != nil {
		panic(err)
	}
	opts := &attestation.SigningOptions{
		TransparencyLog: rekor, // unset this to disable signature transparency logging
	}

	// load image index with unsigned attestation-manifests
	ref := "docker/image-signer-verifier:latest"
	attIdx, err := oci.IndexFromRemote(context.Background(), ref)
	if err != nil {
		panic(err)
	}
	// example for local image index
	// path := "/myimage"
	// attIdx, err = oci.IndexFromPath(path)
	// if err != nil {
	// 	panic(err)
	// }

	// sign all attestations in an image index
	signedManifests, err := attest.SignStatements(context.Background(), attIdx.Index, signer, opts)
	if err != nil {
		panic(err)
	}
	signedIndex := attIdx.Index
	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
	if err != nil {
		panic(err)
	}

	// push image index with signed attestation-manifests
	err = oci.PushIndexToRegistry(context.Background(), signedIndex, ref)
	if err != nil {
		panic(err)
	}
	// output image index to filesystem (optional)
	path := "/myimage"
	idx := v1.ImageIndex(empty.Index)
	idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
		Add: signedIndex,
		Descriptor: v1.Descriptor{
			Annotations: map[string]string{
				oci.OCIReferenceTarget: attIdx.Name,
			},
		},
	})
	err = oci.SaveIndexAsOCILayout(idx, path)
	if err != nil {
		panic(err)
	}
}
chore: apply license headers 2024-10-17 13:40:17 -05:00			`/*`
			`Copyright 2024 Docker attest authors`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`
docs: update examples in README.md 2024-05-02 13:42:35 -05:00			`package attest_test`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00
			`import (`
			`"context"`

refactor! remove pkg directory (#145) * refactor!: remove pkg directory * chore: include breaking changes in draft 2024-09-02 16:17:50 +01:00			`"github.com/docker/attest"`
			`"github.com/docker/attest/attestation"`
			`"github.com/docker/attest/oci"`
			`"github.com/docker/attest/signerverifier"`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`"github.com/docker/attest/tlog"`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`v1 "github.com/google/go-containerregistry/pkg/v1"`
			`"github.com/google/go-containerregistry/pkg/v1/empty"`
			`"github.com/google/go-containerregistry/pkg/v1/mutate"`
			`)`

chore: fix linting errors (#91) 2024-07-16 12:52:33 +01:00			`func ExampleSignStatements_remote() {`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`// configure signerverifier`
			`// local signer (unsafe for production)`
			`signer, err := signerverifier.GenKeyPair()`
			`if err != nil {`
			`panic(err)`
			`}`
			`// example using AWS KMS signer`
			`// aws_arn := "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"`
			`// aws_region := "us-west-2"`
			`// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)`

			`// configure signing options`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00
			`// use rekor transparency log wit static rekor public key (see options to use dynamic rekor public key)`
			`rekor, err := tlog.NewRekorLog()`
			`if err != nil {`
			`panic(err)`
			`}`
Handle errors from Go in Rego. Support for skipping TL (#47) * Make TL logging/verification optional * Return errors from go-lang fns * Update pkg/policy/rego.go Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> * Update pkg/attestation/sign.go Co-authored-by: Joel Kamp <joel.kamp@docker.com> * Move public key marshelling until later * Simplify logSignature and pass down opts --------- Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> Co-authored-by: Joel Kamp <joel.kamp@docker.com> 2024-06-06 09:59:32 +01:00			`opts := &attestation.SigningOptions{`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`TransparencyLog: rekor, // unset this to disable signature transparency logging`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`}`

			`// load image index with unsigned attestation-manifests`
			`ref := "docker/image-signer-verifier:latest"`
feature!: support for setting HTTP User-Agent header (#157) * feature!: support for setting HTTP User-Agent header * fix lint * fix e2e * refactor: move http.go to internal/util/useragent package and rename functions to Get and Set * Move packages and use attest version 2024-09-09 14:22:17 +01:00			`attIdx, err := oci.IndexFromRemote(context.Background(), ref)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`if err != nil {`
			`panic(err)`
			`}`
			`// example for local image index`
			`// path := "/myimage"`
Unify functions for use in `sign` & `verify --vsa` (#71) * Use receivers for manifest functions * Move SaveImage/SaveIndex from image-signing-verifier * Ignore test fixtures in coverage * Add AddImagesToIndex function 2024-07-05 09:29:14 +01:00			`// attIdx, err = oci.IndexFromPath(path)`
			`// if err != nil {`
			`// panic(err)`
			`// }`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00
Unify functions for use in `sign` & `verify --vsa` (#71) * Use receivers for manifest functions * Move SaveImage/SaveIndex from image-signing-verifier * Ignore test fixtures in coverage * Add AddImagesToIndex function 2024-07-05 09:29:14 +01:00			`// sign all attestations in an image index`
			`signedManifests, err := attest.SignStatements(context.Background(), attIdx.Index, signer, opts)`
			`if err != nil {`
			`panic(err)`
			`}`
			`signedIndex := attIdx.Index`
Make referrers attestations OCI compliant (#80) * Single attestation when creating VSA * Create single layer images for referrers attestations * Move mock to test package. Add artifacts test * Add test for envelope detection * Add tests for image/index saving * Add mirror tests * Remove AttestationImage field from AttestationManifest * Update naming. strictReferers != laxReferrers * Add specific test for SaveReferrers 2024-07-16 10:05:17 +01:00			`signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`if err != nil {`
			`panic(err)`
			`}`

			`// push image index with signed attestation-manifests`
feature!: support for setting HTTP User-Agent header (#157) * feature!: support for setting HTTP User-Agent header * fix lint * fix e2e * refactor: move http.go to internal/util/useragent package and rename functions to Get and Set * Move packages and use attest version 2024-09-09 14:22:17 +01:00			`err = oci.PushIndexToRegistry(context.Background(), signedIndex, ref)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`if err != nil {`
			`panic(err)`
			`}`
			`// output image index to filesystem (optional)`
			`path := "/myimage"`
			`idx := v1.ImageIndex(empty.Index)`
			`idx = mutate.AppendManifests(idx, mutate.IndexAddendum{`
Unify functions for use in `sign` & `verify --vsa` (#71) * Use receivers for manifest functions * Move SaveImage/SaveIndex from image-signing-verifier * Ignore test fixtures in coverage * Add AddImagesToIndex function 2024-07-05 09:29:14 +01:00			`Add: signedIndex,`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`Descriptor: v1.Descriptor{`
			`Annotations: map[string]string{`
fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`oci.OCIReferenceTarget: attIdx.Name,`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`},`
			`},`
			`})`
refactor!: move oci output from mirror to oci pkg BREAKING_CHANGE: output methods to save and push images are now part of the oci pkg 2024-08-08 14:23:46 -05:00			`err = oci.SaveIndexAsOCILayout(idx, path)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`if err != nil {`
			`panic(err)`
			`}`
			`}`