* build: Generate test data for unsigned and no provenance image indexes
* feat: Add function to build index without SBOM or provenance for linux/amd64 platform
* feat: add build_image function to build image without SBOM or provenance for linux/amd64
* feat: Rename NO_SBOM_NO_PROVENANCE_INDEX_DIR to UNSIGNED_IMAGE_DIR
* feat: support images in details resolvers
This is to allow us to store new policy files in the production TUF repository
under a testing delegation, and for clients to opt-in to using this testing
delegation when retrieving policy from TUF.
If the prefix path is set, it is prepended to every target path on download
with path.Join. For example, if the prefix path is testing and we download
the target a/b, the TUF client with actually download testing/a/b.
Also get the latest testdata from tuf-dev.
`policy.Options` now contains the arguments to `tuf.Client`'s constructor rather than an actual Client. If these arguments are not provided, defaults pointing at Docker's TUF repo will be used. An actual TUF client can be passed in on the context (which is useful for testing). If this is not provided `attest.Verify` will create a TUF client using the options on `policy.Options`.
---------
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Add rewrite support and fix existing tests
* Add unit tests for policy matching
* Compile regexes up front and store policies in map
* Add test for verify flow with mirror
* Rename ImageName -> ResolvedName
And only set it when necessary
* Rename Rewrite -> Replacement
but keep it as rewrite in the yaml
* Make TL logging/verification optional
* Return errors from go-lang fns
* Update pkg/policy/rego.go
Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>
* Update pkg/attestation/sign.go
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Move public key marshelling until later
* Simplify logSignature and pass down opts
---------
Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>
Co-authored-by: Joel Kamp <joel.kamp@docker.com>
* Start of richer results from verification
* Pull out VSA code from signing
* Expose attestation signing fns
* Add VSA test
* Notes for policy result
* Require separate policy for VSA creation
* Load test signing key from tests
* Return rich object from policy
* Add result object schema and fix tests
* Ensure example test runs
* Remove data.yaml files from mock policies
* Don't run example - TUF policy isn't compatible
* Add attestation to manifests for all subjects
* Ensure adding attestation doesn't touch statements
* Don't export sign function
* Remove attestations from VerificationResult
* Change bool to Outcome enum in result
* Use outputLayout directly
* Make clearer that Outcome strings are for VSA
* Return multiple SLSA levels from policy
* Fix unmarshalling of policy-id (#39)
* Rename function
* Rename policy.VerificationResult -> policy.Result
* Re-add test for canonical input
---------
Co-authored-by: James Carnegie <james.carnegie@docker.com>
Co-authored-by: James Carnegie <kipz@users.noreply.github.com>
