docker/attest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
102 Commits 1 Branch 35 Tags
v0.1.5
Commit Graph

102 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
James Carnegie
357768d421 Various fixes (#63) 
* Fix digest resolution and attestation style

* Add a bunch more tests

* Rename fields for consistency

* Remove copy-pasta

* Value -> pointer
v0.1.5 		2024-06-21 22:12:42 +01:00
James Carnegie
6bd57e02b6 Add support for separate attestation storage repo (#62) 
* Add support for separate attestation storage repo
* Move mapping file types and parsing to config package
* Change signature of Verify to take image/platform
* Separate Attestation Resolvers to their own files (registry, layout and referrers)
* Add support configuring referrers resolution style in mapping.yaml
* Add registry test
 2024-06-21 11:29:16 +01:00
dependabot[bot]
86878482c3 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#58) 2024-06-18 15:06:00 +00:00
James Carnegie
130e1f640b Support referrers using digest, not just tag (#55) 
* Support referrers using digest, not just tag

* ParseRef and switch on type

* Call DigestStr instead of String
 2024-06-17 17:30:12 +01:00
Jonny Stoten
0d0d86854c Return policy input with verification result (#56) 2024-06-17 17:28:22 +01:00
Jonny Stoten
1d9e14b99f Avoid pointers to map (#57) 2024-06-17 17:24:29 +01:00
dependabot[bot]
83c7d7634a feat(deps): bump github.com/google/go-containerregistry (#54) 
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.19.1 to 0.19.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.19.1...v0.19.2)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-17 11:03:08 +01:00
Joel Kamp
5c07bd70d9 Merge pull request #53 from docker/fix-default-mkdir-perms 
fix: mkdir perms
 2024-06-14 15:42:23 -05:00
mrjoelkamp
c02e628600 fix: mkdir perms 2024-06-14 15:23:25 -05:00
Joel Kamp
3d46780a1c Merge pull request #52 from docker/refactor-use-interface-value 
refactor: use interface value
 2024-06-14 11:58:45 -05:00
mrjoelkamp
83dfd746b9 fix: update output dir permissions 2024-06-14 11:11:48 -05:00
mrjoelkamp
845fe93c11 refactor: remove any; split into functions 2024-06-14 10:04:18 -05:00
mrjoelkamp
c154613c52 refactor: use interface value 2024-06-14 10:03:39 -05:00
James Carnegie
e44390d2bc Don't use pointers for image interfaces (#51) 
* Don't use pointers for image interfaces

* Also for oci layout

* Remove default case
 2024-06-14 10:28:14 +01:00
James Carnegie
8ba9656645 Add support for OCI Referrers and fallback (#50) 
* Add support for OCI Referrers and fallback
 2024-06-13 16:10:41 +01:00
dependabot[bot]
e120439035 feat(deps): bump github.com/containerd/containerd from 1.7.17 to 1.7.18 (#48) 2024-06-12 20:16:09 +00:00
dependabot[bot]
b20f452004 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#49) 2024-06-10 17:23:42 +00:00
James Carnegie
4be882aeb0 Handle errors from Go in Rego. Support for skipping TL (#47) 
* Make TL logging/verification optional

* Return errors from go-lang fns

* Update pkg/policy/rego.go

Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>

* Update pkg/attestation/sign.go

Co-authored-by: Joel Kamp <joel.kamp@docker.com>

* Move public key marshelling until later

* Simplify logSignature and pass down opts

---------

Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
 2024-06-06 09:59:32 +01:00
dependabot[bot]
3b5c506739 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#46) 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.16 to 1.27.17.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.16...config/v1.27.17)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-04 15:53:00 +01:00
dependabot[bot]
f36bb50af5 feat(deps): bump github.com/open-policy-agent/opa from 0.64.1 to 0.65.0 (#44) 
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.64.1 to 0.65.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.64.1...v0.65.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-05-31 11:15:43 +01:00
James Carnegie
c8c148c70a Expose ParsePlatform (#45) 2024-05-31 11:02:14 +01:00
James Carnegie
a334599635 *Breaking* Parse platform earlier (#43) 
* *Breaking* Parse platform earlier

* Use constructors and hide fields to avoid confusion
 2024-05-30 17:38:58 +01:00
dependabot[bot]
e81016fc31 feat(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#42) 
Bumps [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) from 1.8.3 to 1.8.4.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.3...v1.8.4)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-05-29 12:04:38 +01:00
James Carnegie
2ae5606c92 Add support for selecting a policy by ID (#41) 2024-05-28 15:17:37 +01:00
dependabot[bot]
8a6e75ce39 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#40) 2024-05-24 13:47:05 +00:00
Jonny Stoten
6397dcede8 Check version of attest against constraints in TUF (#19) 
* Check version of attest against constraints in TUF

* Add link to semver lib constraints docs
v0.1.4 		2024-05-22 17:02:25 +01:00
Jonny Stoten
1a7897a052 Return VSA and rich errors from verification (#38) 
* Start of richer results from verification

* Pull out VSA code from signing

* Expose attestation signing fns

* Add VSA test

* Notes for policy result

* Require separate policy for VSA creation

* Load test signing key from tests

* Return rich object from policy

* Add result object schema and fix tests

* Ensure example test runs

* Remove data.yaml files from mock policies

* Don't run example - TUF policy isn't compatible

* Add attestation to manifests for all subjects

* Ensure adding attestation doesn't touch statements

* Don't export sign function

* Remove attestations from VerificationResult

* Change bool to Outcome enum in result

* Use outputLayout directly

* Make clearer that Outcome strings are for VSA

* Return multiple SLSA levels from policy

* Fix unmarshalling of policy-id (#39)

* Rename function

* Rename policy.VerificationResult -> policy.Result

* Re-add test for canonical input

---------

Co-authored-by: James Carnegie <james.carnegie@docker.com>
Co-authored-by: James Carnegie <kipz@users.noreply.github.com>
 2024-05-22 14:49:23 +01:00
James Carnegie
745eea09e8 Fix image detection based on platform (#33) 2024-05-20 09:37:53 +01:00
dependabot[bot]
84d7903c46 feat(deps): bump github.com/containerd/containerd from 1.7.16 to 1.7.17 (#35) 2024-05-17 17:19:30 +00:00
dependabot[bot]
7234e29829 feat(deps): bump github.com/package-url/packageurl-go (#36) 2024-05-17 17:14:13 +00:00
Joel Kamp
b46f544f0c Merge pull request #34 from docker/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.15 
feat(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.14 to 1.27.15
 2024-05-17 12:13:31 -05:00
dependabot[bot]
85d7b34e18 feat(deps): bump github.com/aws/aws-sdk-go-v2/config 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.14 to 1.27.15.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.14...config/v1.27.15)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-05-17 17:07:46 +00:00
Joel Kamp
c416c11e10 Merge pull request #37 from docker/fix-is-canonical-policy 
fix: canonical policy
 2024-05-17 09:34:27 -05:00
mrjoelkamp
0020ece3b4 fix: canonical policy 2024-05-17 09:29:06 -05:00
James Carnegie
ec1c994f04 Use id/policy-id in mapping.yaml (#32) 2024-05-16 15:34:19 +01:00
James Carnegie
6ebf042966 Upgrade some deps to fix vulnerabilities (#31) 2024-05-16 15:22:30 +01:00
James Carnegie
a86c8c1209 Use policy files from mapping.yaml (#30) 
* Use policy files from mapping.yaml

* Rename location to root in mapping.yaml

* Remove location/root
 2024-05-16 14:49:57 +01:00
dependabot[bot]
dd621e2a13 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#29) 2024-05-16 13:12:49 +00:00
Joel Kamp
b05523e7ea Merge pull request #28 from docker/fix-missing-download-dir 
fix: no such directory error
 2024-05-15 18:06:19 -05:00
mrjoelkamp
eddb277d7e feat: add tuf download target tests 2024-05-15 16:22:35 -05:00
mrjoelkamp
a103e0e9d7 revert: query 2024-05-15 15:23:22 -05:00
mrjoelkamp
249cf5bcf3 fix: query 2024-05-15 15:21:54 -05:00
mrjoelkamp
33a1996b2b fix: no such directory error 2024-05-15 14:47:20 -05:00
Joel Kamp
1b24098027 Merge pull request #27 from docker/revert-forked-go-tuf 
revert: go-tuf fork
 2024-05-13 10:02:53 -05:00
mrjoelkamp
64f3c9b149 revert: go-tuf fork 2024-05-13 09:48:04 -05:00
dependabot[bot]
3ee718ee67 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#26) 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.12 to 1.27.13.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.12...config/v1.27.13)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-05-13 09:54:32 +01:00
dependabot[bot]
06947cf992 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#21) 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.11 to 1.27.12.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.11...config/v1.27.12)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-05-10 12:15:15 +01:00
dependabot[bot]
4648680a75 feat(deps): bump github.com/testcontainers/testcontainers-go/modules/registry (#24) 
Bumps [github.com/testcontainers/testcontainers-go/modules/registry](https://github.com/testcontainers/testcontainers-go) from 0.30.0 to 0.31.0.
- [Release notes](https://github.com/testcontainers/testcontainers-go/releases)
- [Commits](https://github.com/testcontainers/testcontainers-go/compare/v0.30.0...v0.31.0)

---
updated-dependencies:
- dependency-name: github.com/testcontainers/testcontainers-go/modules/registry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-05-10 12:14:52 +01:00
Jonny Stoten
17902c4eb8 Merge pull request #20 from docker/small-tidies 
Small tidies
 2024-05-08 15:54:31 +01:00
Jonny Stoten
bd6d130e17 Don't use builtin print function 2024-05-08 13:12:40 +01:00