From d606b8040e8d4995cdede8463d8cf784cecf7ba8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 5 Jul 2022 16:43:05 +0200 Subject: [PATCH] feat: Add new supported `v2/verify` payloads --- .../02-signature-verifier-policies.md | 289 +++++++++++++++++- 1 file changed, 285 insertions(+), 4 deletions(-) diff --git a/docs/writing-policies/spec/host-capabilities/02-signature-verifier-policies.md b/docs/writing-policies/spec/host-capabilities/02-signature-verifier-policies.md index f0e651bcdf..30f0a87557 100644 --- a/docs/writing-policies/spec/host-capabilities/02-signature-verifier-policies.md +++ b/docs/writing-policies/spec/host-capabilities/02-signature-verifier-policies.md @@ -79,7 +79,288 @@ UX, of course you can build on top of it or any of the other SDKs. In case you are implementing your own language SDK, these are the functions a policy that verifies signatures can use: -| **waPC function name** | **Input payload** | **Output payload** | -|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| -| `v1/verify` | {
// **mandatory**: image URI to verify
"image": string,
"pub_keys": [
// PEM-encoded public keys
string
],
// optional:
"annotations": [
// signature annotations
{
"key": string,
"value": string
},
]
} | {
// true if image verified
"is_trusted": boolean,
// digest of verified image
"digest": string
} | -| `v1/verify` | {
// **mandatory**: image URI to verify
"image": string,
"keyless": [
// list of (issuer, subject) tuples
{
// OIDC issuer
"issuer": string,
// signature subject (mail, CI URL, ...)
"subject": string
}
],
// optional:
"annotations": [
// signature annotations
{
"key": string,
"value": string
},
]
} | {
// true if image verified
"is_trusted": boolean,
// digest of verified image
"digest": string
} | + + + + + + + + + + + + + + + + + + + + + + + + + +
WaPC function name Input payload Output payload
+ +`v2/verify` + + + +```json +{ + type: "SigstorePubKeyVerify", + + // **mandatory**: image URI to verify + "image": string, + "pub_keys": [ + // PEM-encoded public keys + string + ], + // optional: + "annotations": [ + // signature annotations + { + "key": string, + "value": string + }, + ] +} +``` + + + +```json +{ + // true if image verified + "is_trusted": boolean, + // digest of verified image + "digest": string +} +``` + +
+ +`v2/verify` + + + +```json +{ + type: "SigstoreKeylessVerify", + + // mandatory: image URI to verify + "image": string, + "keyless": [ + // list of (issuer, subject) tuples + { + // OIDC issuer + "issuer": string, + // signature subject (mail, CI URL, ...) + "subject": string + } + ], + // optional: + "annotations": [ + // signature annotations + { + "key": string, + "value": string + }, + ] +} +``` + + + +```json +{ + // true if image verified + "is_trusted": boolean, + // digest of verified image + "digest": string +} +``` + +
+ +`v2/verify` + + + +```json +{ + type: "SigstoreKeylessPrefixVerify", + + // mandatory: image URI to verify + "image": string, + "keyless_prefix": [ + // list of (issuer, url_prefix) tuples + { + // OIDC issuer + "issuer": string, + // URL Prefix of subject (CI URL, ...) + "url_prefix": string + } + ], + // optional: + "annotations": [ + // signature annotations + { + "key": string, + "value": string + }, + ] +} +``` + + + +```json +{ + // true if image verified + "is_trusted": boolean, + // digest of verified image + "digest": string +} +``` + +
+ +`v2/verify` + + + +```json +{ + type: "SigstoreGithubActionsVerify", + + // mandatory: image URI to verify + "image": string, + // GitHub owner + "owner": string, + // optional: + // GitHub repository + "repo": string + "annotations": [ + // signature annotations + { + "key": string, + "value": string + }, + ] +} +``` + + + +```json +{ + // true if image verified + "is_trusted": boolean, + // digest of verified image + "digest": string +} +``` + +
+ + +Marked for deprecation: + + + + + + + + + + + + + + + + +
WaPC function name Input payload Output payload
+ +`v1/verify` + + + +```json +{ + // **mandatory**: image URI to verify + "image": string, + "pub_keys": [ + // PEM-encoded public keys + string + ], + // optional: + "annotations": [ + // signature annotations + { + "key": string, + "value": string + }, + ] +} +``` + + + +```json +{ + // true if image verified + "is_trusted": boolean, + // digest of verified image + "digest": string +} +``` + +
+ +`v1/verify` + + + +```json +{ + // mandatory: image URI to verify + "image": string, + "keyless": [ + // list of (issuer, subject) tuples + { + // OIDC issuer + "issuer": string, + // signature subject (mail, CI URL, ...) + "subject": string + } + ], + // optional: + "annotations": [ + // signature annotations + { + "key": string, + "value": string + }, + ] +} +``` + + + +```json +{ + // true if image verified + "is_trusted": boolean, + // digest of verified image + "digest": string +} +``` + +