forked from notaryproject/notation-go
-
Notifications
You must be signed in to change notification settings - Fork 0
/
notation.go
93 lines (74 loc) · 2.93 KB
/
notation.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package notation
import (
"context"
"crypto/x509"
"time"
"github.com/notaryproject/notation-go/crypto/timestamp"
"github.com/opencontainers/go-digest"
)
// MediaTypePayloadV1 is the supported content type for signature's payload.
const MediaTypePayloadV1 = "application/vnd.cncf.notary.payload.v1+json"
// SigningAgent is the unprotected header field used by signature.
var SigningAgent = "Notation/1.0.0"
// Descriptor describes the artifact that needs to be signed.
type Descriptor struct {
// The media type of the targeted content.
MediaType string `json:"mediaType"`
// The digest of the targeted content.
Digest digest.Digest `json:"digest"`
// Specifies the size in bytes of the blob.
Size int64 `json:"size"`
// Contains optional user defined attributes.
Annotations map[string]string `json:"annotations,omitempty"`
}
// Equal reports whether d and t points to the same content.
func (d Descriptor) Equal(t Descriptor) bool {
return d.MediaType == t.MediaType && d.Digest == t.Digest && d.Size == t.Size
}
// Payload describes the content that gets signed.
type Payload struct {
TargetArtifact Descriptor `json:"targetArtifact"`
}
// SignOptions contains parameters for Signer.Sign.
type SignOptions struct {
// Expiry identifies the expiration time of the resulted signature.
Expiry time.Time
// TSA is the TimeStamp Authority to timestamp the resulted signature if present.
TSA timestamp.Timestamper
// TSAVerifyOptions is the verify option to verify the fetched timestamp signature.
// The `Intermediates` in the verify options will be ignored and re-contrusted using
// the certificates in the fetched timestamp signature.
// An empty list of `KeyUsages` in the verify options implies ExtKeyUsageTimeStamping.
TSAVerifyOptions x509.VerifyOptions
// Sets or overrides the plugin configuration.
PluginConfig map[string]string
}
// Signer is a generic interface for signing an artifact.
// The interface allows signing with local or remote keys,
// and packing in various signature formats.
type Signer interface {
// Sign signs the artifact described by its descriptor,
// and returns the signature.
Sign(ctx context.Context, desc Descriptor, opts SignOptions) ([]byte, error)
}
// VerifyOptions contains parameters for Verifier.Verify.
type VerifyOptions struct {
// SignatureMediaType is the envelope type of the signature.
// Currently both `application/jose+json` and `application/cose` are supported.
SignatureMediaType string
}
// Validate does basic validation on VerifyOptions.
func (opts VerifyOptions) Validate() error {
return nil
}
// Verifier is a generic interface for verifying an artifact.
type Verifier interface {
// Verify verifies the signature and returns the verified descriptor and
// metadata of the signed artifact.
Verify(ctx context.Context, signature []byte, opts VerifyOptions) (Descriptor, error)
}
// Service combines the signing and verification services.
type Service interface {
Signer
Verifier
}