func GetAndVerifyImageSignatureMetadata(ctx context.Context, artifactClient artifacts.ArtifactsClient, configProvider common.ConfigurationProvider, compartmentId string, compartmentIdInSubtree bool, repositoryName string, imageDigest string, trustedKeys []string) (bool, error)
GetAndVerifyImageSignatureMetadata calls OCIR to list all the signatures satisfying the user provided criterion then calls KMS to verify the returned signatures
Description: Fetch a container image signature metadata and verity the signature Response: Boolean to indicate if any of the signatures of the container image is verified Parameters: - compartmentId: description: The OCID of the compartment in which the container repository exists. eg) ocid1.compartment.oc1..exampleuniqueID maxLength: 100 minLength: 1 - compartmentIdInSubtree: description: When set to true, the hierarchy of compartments is traversed - repositoryName: description: The repository name in which the container image exists eg) busybox - imageDigest: description: The sha256 digest of the docker image. eg) sha256:12345 - trustedKeys: description: List of OCIDs of the kmsKeyId used to sign the container image.
func SignAndUploadContainerImageSignatureMetadata(ctx context.Context, artifactClient artifacts.ArtifactsClient, configProvider common.ConfigurationProvider, kmsKeyId string, kmsKeyVersionId string, signingAlgorithm string, compartmentId string, imageId string, description string, metadata string) (*artifacts.ContainerImageSignature, error)
SignAndUploadContainerImageSignatureMetadata calls KMS to sign the message then calls OCIR to upload the returned signature
Description: Sign a container image and upload the signature to the image
Response: The signed container image signature metadata.
Parameters:
- kmsKeyId:
description: The OCID of the kmsKeyId used to sign the container image. eg) ocid1.key.oc1..exampleuniqueID
maxLength: 255
minLength: 1
- kmsKeyVersionId:
description: The OCID of the kmsKeyVersionId used to sign the container image. eg) ocid1.keyversion.oc1..exampleuniqueID
maxLength: 255
minLength: 1
- signingAlgorithm:
- description: The algorithm to be used for signing. These are the only supported signing algorithms for container images.
- SHA_224_RSA_PKCS_PSS
- SHA_256_RSA_PKCS_PSS
- SHA_384_RSA_PKCS_PSS
- SHA_512_RSA_PKCS_PSS
- compartmentId:
description: The OCID of the compartment in which the container repository exists. eg) ocid1.compartment.oc1..exampleuniqueID
maxLength: 100
minLength: 1
- imageId:
description: The OCID of the container image. eg) ocid1.containerimage.oc1..exampleuniqueID
maxLength: 255
minLength: 1
- repoPath:
description The docker repository path. eg) odx-registry/busybox
- imageDigest:
description: The sha256 digest of the docker image. eg) sha256:12345
- description:
description: An user inputted message.
- metadata:
description: An user defined information about the container image in JSON format eg) {"buildNumber":"123"}
restriction:
- should only contains alphanumeric key strings.
- should be alphabetically sorted.
- should not have whitespaces or escape characters.
Message defines the struct of container image signature payload
type Message struct {
Description string `mandatory:"true" json:"description"`
ImageDigest string `mandatory:"true" json:"imageDigest"`
KmsKeyId string `mandatory:"true" json:"kmsKeyId"`
KmsKeyVersionId string `mandatory:"true" json:"kmsKeyVersionId"`
Metadata string `mandatory:"true" json:"metadata"`
Region string `mandatory:"true" json:"region"`
RepositoryName string `mandatory:"true" json:"repositoryName"`
SigningAlgorithm string `mandatory:"true" json:"signingAlgorithm"`
}