-
Notifications
You must be signed in to change notification settings - Fork 544
/
signatures.go
71 lines (57 loc) · 2.22 KB
/
signatures.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
//
// Copyright 2021 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package oci
import (
"crypto/x509"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/sigstore/cosign/v2/pkg/cosign/bundle"
)
// Signatures represents a set of signatures that are associated with a particular
// v1.Image.
type Signatures interface {
v1.Image // The low-level representation of the signatures
// Get retrieves the list of signatures stored.
Get() ([]Signature, error)
}
// Signature holds a single image signature.
type Signature interface {
v1.Layer
// Annotations returns the annotations associated with this layer.
Annotations() (map[string]string, error)
// Payload fetches the opaque data that is being signed.
// This will always return data when there is no error.
Payload() ([]byte, error)
// Signature fetches the raw signature
// of the payload. This will always return data when
// there is no error.
Signature() ([]byte, error)
// Base64Signature fetches the base64 encoded signature
// of the payload. This will always return data when
// there is no error.
Base64Signature() (string, error)
// Cert fetches the optional public key from the key pair that
// was used to sign the payload.
Cert() (*x509.Certificate, error)
// Chain fetches the optional "full certificate chain" rooted
// at a Fulcio CA, the leaf of which was used to sign the
// payload.
Chain() ([]*x509.Certificate, error)
// Bundle fetches the optional metadata that records the ephemeral
// Fulcio key in the transparency log.
Bundle() (*bundle.RekorBundle, error)
// RFC3161Timestamp() fetches the optional metadata that records a
// RFC3161 signed timestamp.
RFC3161Timestamp() (*bundle.RFC3161Timestamp, error)
}