1a7897a052
* Start of richer results from verification * Pull out VSA code from signing * Expose attestation signing fns * Add VSA test * Notes for policy result * Require separate policy for VSA creation * Load test signing key from tests * Return rich object from policy * Add result object schema and fix tests * Ensure example test runs * Remove data.yaml files from mock policies * Don't run example - TUF policy isn't compatible * Add attestation to manifests for all subjects * Ensure adding attestation doesn't touch statements * Don't export sign function * Remove attestations from VerificationResult * Change bool to Outcome enum in result * Use outputLayout directly * Make clearer that Outcome strings are for VSA * Return multiple SLSA levels from policy * Fix unmarshalling of policy-id (#39) * Rename function * Rename policy.VerificationResult -> policy.Result * Re-add test for canonical input --------- Co-authored-by: James Carnegie <james.carnegie@docker.com> Co-authored-by: James Carnegie <kipz@users.noreply.github.com>
69 lines
1.9 KiB
Go
69 lines
1.9 KiB
Go
package attest_test
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/docker/attest/pkg/attest"
|
|
"github.com/docker/attest/pkg/mirror"
|
|
"github.com/docker/attest/pkg/oci"
|
|
"github.com/docker/attest/pkg/signerverifier"
|
|
v1 "github.com/google/go-containerregistry/pkg/v1"
|
|
"github.com/google/go-containerregistry/pkg/v1/empty"
|
|
"github.com/google/go-containerregistry/pkg/v1/mutate"
|
|
)
|
|
|
|
func ExampleSign_remote() {
|
|
// configure signerverifier
|
|
// local signer (unsafe for production)
|
|
signer, err := signerverifier.GenKeyPair()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
// example using AWS KMS signer
|
|
// aws_arn := "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"
|
|
// aws_region := "us-west-2"
|
|
// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)
|
|
|
|
// configure signing options
|
|
opts := &attest.SigningOptions{
|
|
Replace: true, // replace unsigned intoto statements with signed intoto attestations, otherwise leave in place
|
|
}
|
|
|
|
// load image index with unsigned attestation-manifests
|
|
ref := "docker/image-signer-verifier:latest"
|
|
att, err := oci.AttestationIndexFromRemote(ref)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
// example for local image index
|
|
// path := "/myimage"
|
|
// att, err := oci.AttestationIndexFromLocal(path)
|
|
|
|
// sign attestations
|
|
signedImageIndex, err := attest.Sign(context.Background(), att.Index, signer, opts)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
// push image index with signed attestation-manifests
|
|
err = mirror.PushToRegistry(signedImageIndex, ref)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
// output image index to filesystem (optional)
|
|
path := "/myimage"
|
|
idx := v1.ImageIndex(empty.Index)
|
|
idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
|
|
Add: signedImageIndex,
|
|
Descriptor: v1.Descriptor{
|
|
Annotations: map[string]string{
|
|
oci.OciReferenceTarget: att.Name,
|
|
},
|
|
},
|
|
})
|
|
err = mirror.SaveAsOCILayout(idx, path)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
}
|