2.1 KiB
2.1 KiB
attest
Library to create, verify, and evaluate policy for attestations on container images
usage
signing attestations
verifying attestations
-
Create a TUF client
- using OCI registry for TUF
tufClient, err := tuf.NewTufClient(embed.DefaultRoot, "/.docker/tuf", "docker/tuf-metadata:latest", "docker/tuf-targets") - using HTTPS for TUF
tufClient, err := tuf.NewTufClient(embed.DefaultRoot, "/.docker/tuf", "https://docker.github.io/tuf/metadata", "https://docker.github.io/tuf/targets")
- using OCI registry for TUF
-
Configure an attestation resolver
- using OCI registry
var resolver oci.AttestationResolver resolver = &oci.RegistryResolver{ Image: image, // path to image index in OCI registry containing image attestations (e.g. docker/nginx:latest) Platform: platform, // platform of subject image (image that attestations are being verified against) } - using local OCI layout
var resolver oci.AttestationResolver resolver = &oci.OCILayoutResolver{ Path: path, // file path to OCI layout containing image attestations (e.g. /myimage) Platform: platform, // platform of subject image (image that attestations are being verified against) }
- using OCI registry
-
Configure policy options
opts := &policy.PolicyOptions{ TufClient: tufClient, LocalTargetsDir: "/.docker/policy", // location to store policy files downloaded from TUF LocalPolicyDir: "", // overrides TUF policy for local policy files } -
Verify attestations
policy, err := attest.Verify(ctx, opts, resolver) if err != nil { return false // failed policy or attestation signature verification } if policy { return true // passed policy } return true // no policy for image
mirroring TUF repositories
TODO: write content for this outline