docker/attest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
118 Commits 1 Branch 35 Tags
v0.1.6
Commit Graph

118 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot]
80658a4b5f feat(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#65) v0.1.6 2024-06-26 16:43:41 +00:00
Joel Kamp
46db2b9fd5 Merge pull request #59 from docker/feat-cloud-provider-authn 
feat: cloud provider authn
 2024-06-26 09:28:03 -05:00
mrjoelkamp
e37f788865 refactor: drop ACR support for now 2024-06-25 13:44:29 -05:00
Joel Kamp
13172cb502 Merge branch 'main' into feat-cloud-provider-authn 2024-06-25 12:06:46 -05:00
mrjoelkamp
abb3163628 fix: update aws-sdk-go-v2 2024-06-25 11:49:58 -05:00
James Carnegie
742f98fbeb Generate coverage when tests are run (#64) 
* Generate coverage when tests are run
* Use docker's codecov account
 2024-06-24 14:26:07 +01:00
Joel Kamp
8cae188735 Merge branch 'main' into feat-cloud-provider-authn 2024-06-21 16:39:45 -05:00
Joel Kamp
7586f4dfc4 Merge pull request #61 from docker/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.21 
feat(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.19 to 1.27.21
 2024-06-21 16:35:01 -05:00
Joel Kamp
acb862ea42 Merge branch 'main' into dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.21 2024-06-21 16:32:11 -05:00
James Carnegie
357768d421 Various fixes (#63) 
* Fix digest resolution and attestation style

* Add a bunch more tests

* Rename fields for consistency

* Remove copy-pasta

* Value -> pointer
v0.1.5 		2024-06-21 22:12:42 +01:00
James Carnegie
6bd57e02b6 Add support for separate attestation storage repo (#62) 
* Add support for separate attestation storage repo
* Move mapping file types and parsing to config package
* Change signature of Verify to take image/platform
* Separate Attestation Resolvers to their own files (registry, layout and referrers)
* Add support configuring referrers resolution style in mapping.yaml
* Add registry test
 2024-06-21 11:29:16 +01:00
dependabot[bot]
92985e9a12 feat(deps): bump github.com/aws/aws-sdk-go-v2/config 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.19 to 1.27.21.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.19...config/v1.27.21)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-06-20 08:23:40 +00:00
mrjoelkamp
08e823e05b refactor: make common authn function 2024-06-18 12:00:47 -05:00
Joel Kamp
ff38975c76 Merge branch 'main' into feat-cloud-provider-authn 2024-06-18 10:09:04 -05:00
dependabot[bot]
86878482c3 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#58) 2024-06-18 15:06:00 +00:00
mrjoelkamp
f95760d8b2 chore: fmt go.mod 2024-06-18 10:04:38 -05:00
mrjoelkamp
f611f81fff feat: add support for ecr, gcp, acr authn 2024-06-18 09:59:04 -05:00
mrjoelkamp
8e3c6a2ec5 feat: use os.ModePerm 2024-06-18 09:39:12 -05:00
mrjoelkamp
a3921c206a fix: ineffectual assign 2024-06-18 09:38:50 -05:00
James Carnegie
130e1f640b Support referrers using digest, not just tag (#55) 
* Support referrers using digest, not just tag

* ParseRef and switch on type

* Call DigestStr instead of String
 2024-06-17 17:30:12 +01:00
Jonny Stoten
0d0d86854c Return policy input with verification result (#56) 2024-06-17 17:28:22 +01:00
Jonny Stoten
1d9e14b99f Avoid pointers to map (#57) 2024-06-17 17:24:29 +01:00
dependabot[bot]
83c7d7634a feat(deps): bump github.com/google/go-containerregistry (#54) 
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.19.1 to 0.19.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.19.1...v0.19.2)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-17 11:03:08 +01:00
Joel Kamp
5c07bd70d9 Merge pull request #53 from docker/fix-default-mkdir-perms 
fix: mkdir perms
 2024-06-14 15:42:23 -05:00
mrjoelkamp
c02e628600 fix: mkdir perms 2024-06-14 15:23:25 -05:00
Joel Kamp
3d46780a1c Merge pull request #52 from docker/refactor-use-interface-value 
refactor: use interface value
 2024-06-14 11:58:45 -05:00
mrjoelkamp
83dfd746b9 fix: update output dir permissions 2024-06-14 11:11:48 -05:00
mrjoelkamp
845fe93c11 refactor: remove any; split into functions 2024-06-14 10:04:18 -05:00
mrjoelkamp
c154613c52 refactor: use interface value 2024-06-14 10:03:39 -05:00
James Carnegie
e44390d2bc Don't use pointers for image interfaces (#51) 
* Don't use pointers for image interfaces

* Also for oci layout

* Remove default case
 2024-06-14 10:28:14 +01:00
James Carnegie
8ba9656645 Add support for OCI Referrers and fallback (#50) 
* Add support for OCI Referrers and fallback
 2024-06-13 16:10:41 +01:00
dependabot[bot]
e120439035 feat(deps): bump github.com/containerd/containerd from 1.7.17 to 1.7.18 (#48) 2024-06-12 20:16:09 +00:00
dependabot[bot]
b20f452004 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#49) 2024-06-10 17:23:42 +00:00
James Carnegie
4be882aeb0 Handle errors from Go in Rego. Support for skipping TL (#47) 
* Make TL logging/verification optional

* Return errors from go-lang fns

* Update pkg/policy/rego.go

Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>

* Update pkg/attestation/sign.go

Co-authored-by: Joel Kamp <joel.kamp@docker.com>

* Move public key marshelling until later

* Simplify logSignature and pass down opts

---------

Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
 2024-06-06 09:59:32 +01:00
dependabot[bot]
3b5c506739 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#46) 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.16 to 1.27.17.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.16...config/v1.27.17)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-04 15:53:00 +01:00
dependabot[bot]
f36bb50af5 feat(deps): bump github.com/open-policy-agent/opa from 0.64.1 to 0.65.0 (#44) 
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.64.1 to 0.65.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.64.1...v0.65.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-05-31 11:15:43 +01:00
James Carnegie
c8c148c70a Expose ParsePlatform (#45) 2024-05-31 11:02:14 +01:00
James Carnegie
a334599635 *Breaking* Parse platform earlier (#43) 
* *Breaking* Parse platform earlier

* Use constructors and hide fields to avoid confusion
 2024-05-30 17:38:58 +01:00
dependabot[bot]
e81016fc31 feat(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#42) 
Bumps [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) from 1.8.3 to 1.8.4.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.3...v1.8.4)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-05-29 12:04:38 +01:00
James Carnegie
2ae5606c92 Add support for selecting a policy by ID (#41) 2024-05-28 15:17:37 +01:00
dependabot[bot]
8a6e75ce39 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#40) 2024-05-24 13:47:05 +00:00
Jonny Stoten
6397dcede8 Check version of attest against constraints in TUF (#19) 
* Check version of attest against constraints in TUF

* Add link to semver lib constraints docs
v0.1.4 		2024-05-22 17:02:25 +01:00
Jonny Stoten
1a7897a052 Return VSA and rich errors from verification (#38) 
* Start of richer results from verification

* Pull out VSA code from signing

* Expose attestation signing fns

* Add VSA test

* Notes for policy result

* Require separate policy for VSA creation

* Load test signing key from tests

* Return rich object from policy

* Add result object schema and fix tests

* Ensure example test runs

* Remove data.yaml files from mock policies

* Don't run example - TUF policy isn't compatible

* Add attestation to manifests for all subjects

* Ensure adding attestation doesn't touch statements

* Don't export sign function

* Remove attestations from VerificationResult

* Change bool to Outcome enum in result

* Use outputLayout directly

* Make clearer that Outcome strings are for VSA

* Return multiple SLSA levels from policy

* Fix unmarshalling of policy-id (#39)

* Rename function

* Rename policy.VerificationResult -> policy.Result

* Re-add test for canonical input

---------

Co-authored-by: James Carnegie <james.carnegie@docker.com>
Co-authored-by: James Carnegie <kipz@users.noreply.github.com>
 2024-05-22 14:49:23 +01:00
James Carnegie
745eea09e8 Fix image detection based on platform (#33) 2024-05-20 09:37:53 +01:00
dependabot[bot]
84d7903c46 feat(deps): bump github.com/containerd/containerd from 1.7.16 to 1.7.17 (#35) 2024-05-17 17:19:30 +00:00
dependabot[bot]
7234e29829 feat(deps): bump github.com/package-url/packageurl-go (#36) 2024-05-17 17:14:13 +00:00
Joel Kamp
b46f544f0c Merge pull request #34 from docker/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.15 
feat(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.14 to 1.27.15
 2024-05-17 12:13:31 -05:00
dependabot[bot]
85d7b34e18 feat(deps): bump github.com/aws/aws-sdk-go-v2/config 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.14 to 1.27.15.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.14...config/v1.27.15)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-05-17 17:07:46 +00:00
Joel Kamp
c416c11e10 Merge pull request #37 from docker/fix-is-canonical-policy 
fix: canonical policy
 2024-05-17 09:34:27 -05:00
mrjoelkamp
0020ece3b4 fix: canonical policy 2024-05-17 09:29:06 -05:00