Lots of this is taken from image-signer-verifier's README. The stuff on
policy is all new.
Co-authored-by: James Carnegie <kipz@users.noreply.github.com>
* bug: Use DSSE media types for artifactType
* Don't serialize DSSE extension if not present
* Update pkg/attestation/types.go
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Don't error on no referrers
---------
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Single attestation when creating VSA
* Create single layer images for referrers attestations
* Move mock to test package. Add artifacts test
* Add test for envelope detection
* Add tests for image/index saving
* Add mirror tests
* Remove AttestationImage field from AttestationManifest
* Update naming. strictReferers != laxReferrers
* Add specific test for SaveReferrers
* Add rewrite support and fix existing tests
* Add unit tests for policy matching
* Compile regexes up front and store policies in map
* Add test for verify flow with mirror
* Rename ImageName -> ResolvedName
And only set it when necessary
* Rename Rewrite -> Replacement
but keep it as rewrite in the yaml
* Use receivers for manifest functions
* Move SaveImage/SaveIndex from image-signing-verifier
* Ignore test fixtures in coverage
* Add AddImagesToIndex function
* Add support for separate attestation storage repo
* Move mapping file types and parsing to config package
* Change signature of Verify to take image/platform
* Separate Attestation Resolvers to their own files (registry, layout and referrers)
* Add support configuring referrers resolution style in mapping.yaml
* Add registry test
* Make TL logging/verification optional
* Return errors from go-lang fns
* Update pkg/policy/rego.go
Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>
* Update pkg/attestation/sign.go
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Move public key marshelling until later
* Simplify logSignature and pass down opts
---------
Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Start of richer results from verification
* Pull out VSA code from signing
* Expose attestation signing fns
* Add VSA test
* Notes for policy result
* Require separate policy for VSA creation
* Load test signing key from tests
* Return rich object from policy
* Add result object schema and fix tests
* Ensure example test runs
* Remove data.yaml files from mock policies
* Don't run example - TUF policy isn't compatible
* Add attestation to manifests for all subjects
* Ensure adding attestation doesn't touch statements
* Don't export sign function
* Remove attestations from VerificationResult
* Change bool to Outcome enum in result
* Use outputLayout directly
* Make clearer that Outcome strings are for VSA
* Return multiple SLSA levels from policy
* Fix unmarshalling of policy-id (#39)
* Rename function
* Rename policy.VerificationResult -> policy.Result
* Re-add test for canonical input
---------
Co-authored-by: James Carnegie <james.carnegie@docker.com>
Co-authored-by: James Carnegie <kipz@users.noreply.github.com>
