`policy.Options` now contains the arguments to `tuf.Client`'s constructor rather than an actual Client. If these arguments are not provided, defaults pointing at Docker's TUF repo will be used. An actual TUF client can be passed in on the context (which is useful for testing). If this is not provided `attest.Verify` will create a TUF client using the options on `policy.Options`.
---------
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
Lots of this is taken from image-signer-verifier's README. The stuff on
policy is all new.
Co-authored-by: James Carnegie <kipz@users.noreply.github.com>
* bug: Use DSSE media types for artifactType
* Don't serialize DSSE extension if not present
* Update pkg/attestation/types.go
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Don't error on no referrers
---------
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Single attestation when creating VSA
* Create single layer images for referrers attestations
* Move mock to test package. Add artifacts test
* Add test for envelope detection
* Add tests for image/index saving
* Add mirror tests
* Remove AttestationImage field from AttestationManifest
* Update naming. strictReferers != laxReferrers
* Add specific test for SaveReferrers
* Add rewrite support and fix existing tests
* Add unit tests for policy matching
* Compile regexes up front and store policies in map
* Add test for verify flow with mirror
* Rename ImageName -> ResolvedName
And only set it when necessary
* Rename Rewrite -> Replacement
but keep it as rewrite in the yaml
* Use receivers for manifest functions
* Move SaveImage/SaveIndex from image-signing-verifier
* Ignore test fixtures in coverage
* Add AddImagesToIndex function
* Add support for separate attestation storage repo
* Move mapping file types and parsing to config package
* Change signature of Verify to take image/platform
* Separate Attestation Resolvers to their own files (registry, layout and referrers)
* Add support configuring referrers resolution style in mapping.yaml
* Add registry test
* Make TL logging/verification optional
* Return errors from go-lang fns
* Update pkg/policy/rego.go
Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>
* Update pkg/attestation/sign.go
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Move public key marshelling until later
* Simplify logSignature and pass down opts
---------
Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Start of richer results from verification
* Pull out VSA code from signing
* Expose attestation signing fns
* Add VSA test
* Notes for policy result
* Require separate policy for VSA creation
* Load test signing key from tests
* Return rich object from policy
* Add result object schema and fix tests
* Ensure example test runs
* Remove data.yaml files from mock policies
* Don't run example - TUF policy isn't compatible
* Add attestation to manifests for all subjects
* Ensure adding attestation doesn't touch statements
* Don't export sign function
* Remove attestations from VerificationResult
* Change bool to Outcome enum in result
* Use outputLayout directly
* Make clearer that Outcome strings are for VSA
* Return multiple SLSA levels from policy
* Fix unmarshalling of policy-id (#39)
* Rename function
* Rename policy.VerificationResult -> policy.Result
* Re-add test for canonical input
---------
Co-authored-by: James Carnegie <james.carnegie@docker.com>
Co-authored-by: James Carnegie <kipz@users.noreply.github.com>
