attest/example_sign_test.go

package attest_test

import (
	"context"

	"github.com/docker/attest"
	"github.com/docker/attest/attestation"
	"github.com/docker/attest/oci"
	"github.com/docker/attest/signerverifier"
	v1 "github.com/google/go-containerregistry/pkg/v1"
	"github.com/google/go-containerregistry/pkg/v1/empty"
	"github.com/google/go-containerregistry/pkg/v1/mutate"
)

func ExampleSignStatements_remote() {
	// configure signerverifier
	// local signer (unsafe for production)
	signer, err := signerverifier.GenKeyPair()
	if err != nil {
		panic(err)
	}
	// example using AWS KMS signer
	// aws_arn := "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"
	// aws_region := "us-west-2"
	// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)

	// configure signing options
	opts := &attestation.SigningOptions{
		SkipTL: true, // skip trust logging to a transparency log
	}

	// load image index with unsigned attestation-manifests
	ref := "docker/image-signer-verifier:latest"
	attIdx, err := oci.IndexFromRemote(ref)
	if err != nil {
		panic(err)
	}
	// example for local image index
	// path := "/myimage"
	// attIdx, err = oci.IndexFromPath(path)
	// if err != nil {
	// 	panic(err)
	// }

	// sign all attestations in an image index
	signedManifests, err := attest.SignStatements(context.Background(), attIdx.Index, signer, opts)
	if err != nil {
		panic(err)
	}
	signedIndex := attIdx.Index
	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
	if err != nil {
		panic(err)
	}

	// push image index with signed attestation-manifests
	err = oci.PushIndexToRegistry(signedIndex, ref)
	if err != nil {
		panic(err)
	}
	// output image index to filesystem (optional)
	path := "/myimage"
	idx := v1.ImageIndex(empty.Index)
	idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
		Add: signedIndex,
		Descriptor: v1.Descriptor{
			Annotations: map[string]string{
				oci.OCIReferenceTarget: attIdx.Name,
			},
		},
	})
	err = oci.SaveIndexAsOCILayout(idx, path)
	if err != nil {
		panic(err)
	}
}
docs: update examples in README.md 2024-05-02 13:42:35 -05:00			`package attest_test`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00
			`import (`
			`"context"`

refactor! remove pkg directory (#145) * refactor!: remove pkg directory * chore: include breaking changes in draft 2024-09-02 16:17:50 +01:00			`"github.com/docker/attest"`
			`"github.com/docker/attest/attestation"`
			`"github.com/docker/attest/oci"`
			`"github.com/docker/attest/signerverifier"`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`v1 "github.com/google/go-containerregistry/pkg/v1"`
			`"github.com/google/go-containerregistry/pkg/v1/empty"`
			`"github.com/google/go-containerregistry/pkg/v1/mutate"`
			`)`

chore: fix linting errors (#91) 2024-07-16 12:52:33 +01:00			`func ExampleSignStatements_remote() {`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`// configure signerverifier`
			`// local signer (unsafe for production)`
			`signer, err := signerverifier.GenKeyPair()`
			`if err != nil {`
			`panic(err)`
			`}`
			`// example using AWS KMS signer`
			`// aws_arn := "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"`
			`// aws_region := "us-west-2"`
			`// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)`

			`// configure signing options`
Handle errors from Go in Rego. Support for skipping TL (#47) * Make TL logging/verification optional * Return errors from go-lang fns * Update pkg/policy/rego.go Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> * Update pkg/attestation/sign.go Co-authored-by: Joel Kamp <joel.kamp@docker.com> * Move public key marshelling until later * Simplify logSignature and pass down opts --------- Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> Co-authored-by: Joel Kamp <joel.kamp@docker.com> 2024-06-06 09:59:32 +01:00			`opts := &attestation.SigningOptions{`
Make referrers attestations OCI compliant (#80) * Single attestation when creating VSA * Create single layer images for referrers attestations * Move mock to test package. Add artifacts test * Add test for envelope detection * Add tests for image/index saving * Add mirror tests * Remove AttestationImage field from AttestationManifest * Update naming. strictReferers != laxReferrers * Add specific test for SaveReferrers 2024-07-16 10:05:17 +01:00			`SkipTL: true, // skip trust logging to a transparency log`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`}`

			`// load image index with unsigned attestation-manifests`
			`ref := "docker/image-signer-verifier:latest"`
Unify functions for use in `sign` & `verify --vsa` (#71) * Use receivers for manifest functions * Move SaveImage/SaveIndex from image-signing-verifier * Ignore test fixtures in coverage * Add AddImagesToIndex function 2024-07-05 09:29:14 +01:00			`attIdx, err := oci.IndexFromRemote(ref)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`if err != nil {`
			`panic(err)`
			`}`
			`// example for local image index`
			`// path := "/myimage"`
Unify functions for use in `sign` & `verify --vsa` (#71) * Use receivers for manifest functions * Move SaveImage/SaveIndex from image-signing-verifier * Ignore test fixtures in coverage * Add AddImagesToIndex function 2024-07-05 09:29:14 +01:00			`// attIdx, err = oci.IndexFromPath(path)`
			`// if err != nil {`
			`// panic(err)`
			`// }`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00
Unify functions for use in `sign` & `verify --vsa` (#71) * Use receivers for manifest functions * Move SaveImage/SaveIndex from image-signing-verifier * Ignore test fixtures in coverage * Add AddImagesToIndex function 2024-07-05 09:29:14 +01:00			`// sign all attestations in an image index`
			`signedManifests, err := attest.SignStatements(context.Background(), attIdx.Index, signer, opts)`
			`if err != nil {`
			`panic(err)`
			`}`
			`signedIndex := attIdx.Index`
Make referrers attestations OCI compliant (#80) * Single attestation when creating VSA * Create single layer images for referrers attestations * Move mock to test package. Add artifacts test * Add test for envelope detection * Add tests for image/index saving * Add mirror tests * Remove AttestationImage field from AttestationManifest * Update naming. strictReferers != laxReferrers * Add specific test for SaveReferrers 2024-07-16 10:05:17 +01:00			`signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`if err != nil {`
			`panic(err)`
			`}`

			`// push image index with signed attestation-manifests`
refactor!: move oci output from mirror to oci pkg BREAKING_CHANGE: output methods to save and push images are now part of the oci pkg 2024-08-08 14:23:46 -05:00			`err = oci.PushIndexToRegistry(signedIndex, ref)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`if err != nil {`
			`panic(err)`
			`}`
			`// output image index to filesystem (optional)`
			`path := "/myimage"`
			`idx := v1.ImageIndex(empty.Index)`
			`idx = mutate.AppendManifests(idx, mutate.IndexAddendum{`
Unify functions for use in `sign` & `verify --vsa` (#71) * Use receivers for manifest functions * Move SaveImage/SaveIndex from image-signing-verifier * Ignore test fixtures in coverage * Add AddImagesToIndex function 2024-07-05 09:29:14 +01:00			`Add: signedIndex,`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`Descriptor: v1.Descriptor{`
			`Annotations: map[string]string{`
fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`oci.OCIReferenceTarget: attIdx.Name,`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`},`
			`},`
			`})`
refactor!: move oci output from mirror to oci pkg BREAKING_CHANGE: output methods to save and push images are now part of the oci pkg 2024-08-08 14:23:46 -05:00			`err = oci.SaveIndexAsOCILayout(idx, path)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`if err != nil {`
			`panic(err)`
			`}`
			`}`