SignPlugin signs a plugin using the SHA256 hash of the tarball data. This is used when packaging and signing a plugin from tarball data. It creates a signature that includes the tarball hash and plugin metadata, allowing verification of the original tarball later.
(tarballData []byte, filename string, signer *provenance.Signatory)
| 36 | // It creates a signature that includes the tarball hash and plugin metadata, |
| 37 | // allowing verification of the original tarball later. |
| 38 | func SignPlugin(tarballData []byte, filename string, signer *provenance.Signatory) (string, error) { |
| 39 | // Extract plugin metadata from tarball data |
| 40 | pluginMeta, err := ExtractTgzPluginMetadata(bytes.NewReader(tarballData)) |
| 41 | if err != nil { |
| 42 | return "", fmt.Errorf("failed to extract plugin metadata: %w", err) |
| 43 | } |
| 44 | |
| 45 | // Marshal plugin metadata to YAML bytes |
| 46 | metadataBytes, err := yaml.Marshal(pluginMeta) |
| 47 | if err != nil { |
| 48 | return "", fmt.Errorf("failed to marshal plugin metadata: %w", err) |
| 49 | } |
| 50 | |
| 51 | // Use the generic provenance signing function |
| 52 | return signer.ClearSign(tarballData, filename, metadataBytes) |
| 53 | } |
| 54 | |
| 55 | // ExtractTgzPluginMetadata extracts plugin metadata from a gzipped tarball reader |
| 56 | func ExtractTgzPluginMetadata(r io.Reader) (*Metadata, error) { |
searching dependent graphs…