packspec

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 25, 2026 License: Apache-2.0 Imports: 1 Imported by: 0

Documentation

Overview

Package packspec defines the canonical types for evidence pack manifests.

This package contains only type definitions with zero external dependencies, making it safe to import from both the full pack/ library and the lightweight componentsdk/ package without pulling in Sigstore or other heavy dependencies.

Type Hierarchy 

Manifest
├── Sources []Source
├── Artifacts []Artifact
└── Provenance
    └── SourcePacks []SourcePack
        └── EmbeddedAttestations []EmbeddedAttestation

Usage

The pack/ package re-exports these types for backwards compatibility: 

import "github.com/locktivity/epack/pack"
var m pack.Manifest // works as before

The componentsdk/ package also uses these types: 

import "github.com/locktivity/epack/componentsdk"
m := p.Manifest() // returns *packspec.Manifest

Validation

This package contains only type definitions, not validation logic. Use pack.ParseManifest() for parsing and validating manifest JSON. The validation logic requires internal packages and stays in pack/.

Index

Constants

View Source 
const (
	// SpecVersion is the evidence pack manifest spec version.
	SpecVersion = "1.0"

	// DSSEPayloadType is the DSSE payload type for in-toto statements.
	DSSEPayloadType = "application/vnd.in-toto+json"

	// SigstoreBundleMediaType is the required media type for embedded attestations.
	SigstoreBundleMediaType = "application/vnd.dev.sigstore.bundle.v0.3+json"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Artifact 

type Artifact struct {
	Type        string       `json:"type"`
	Path        string       `json:"path,omitempty"`
	Digest      string       `json:"digest,omitempty"`
	Size        *json.Number `json:"size,omitempty"`
	ContentType string       `json:"content_type,omitempty"`
	DisplayName string       `json:"display_name,omitempty"`
	Description string       `json:"description,omitempty"`
	CollectedAt string       `json:"collected_at,omitempty"`
	Schema      string       `json:"schema,omitempty"`
	Controls    []string     `json:"controls,omitempty"`
}

Artifact represents an artifact in the manifest.

func (*Artifact) Copy 

func (a *Artifact) Copy() Artifact

Copy returns a deep copy of the artifact.

type EmbeddedAttestation 

type EmbeddedAttestation struct {
	MediaType            string          `json:"mediaType"`
	VerificationMaterial json.RawMessage `json:"verificationMaterial"`
	DSSEEnvelope         json.RawMessage `json:"dsseEnvelope"`
}

EmbeddedAttestation is a complete Sigstore bundle from a source pack. Per spec Section 3.7, this must contain mediaType, verificationMaterial, and dsseEnvelope.

func (*EmbeddedAttestation) Copy 

func (ea *EmbeddedAttestation) Copy() EmbeddedAttestation

Copy returns a deep copy of the embedded attestation.

type Manifest 

type Manifest struct {
	SpecVersion string      `json:"spec_version"`
	Stream      string      `json:"stream"`
	GeneratedAt string      `json:"generated_at"`
	PackDigest  string      `json:"pack_digest"`
	Sources     []Source    `json:"sources"`
	Artifacts   []Artifact  `json:"artifacts"`
	Provenance  *Provenance `json:"provenance,omitempty"`
}

Manifest represents the structure of the manifest.json file in an evidence pack.

func (*Manifest) Copy 

func (m *Manifest) Copy() Manifest

Copy returns a deep copy of the manifest. Mutations to the copy do not affect the original.

type Provenance 

type Provenance struct {
	Type        string       `json:"type"`
	MergedAt    string       `json:"merged_at,omitempty"`
	MergedBy    string       `json:"merged_by,omitempty"`
	SourcePacks []SourcePack `json:"source_packs,omitempty"`
}

Provenance describes the origin and attestation chain for merged packs.

func (*Provenance) Copy 

func (p *Provenance) Copy() Provenance

Copy returns a deep copy of the provenance.

type Source 

type Source struct {
	Name      string   `json:"name"`
	Version   string   `json:"version"`
	Artifacts []string `json:"artifacts,omitempty"`
}

Source represents a source collector that contributed artifacts.

func (*Source) Copy 

func (s *Source) Copy() Source

Copy returns a deep copy of the source.

type SourcePack 

type SourcePack struct {
	Stream               string                `json:"stream"`
	PackDigest           string                `json:"pack_digest"`
	Artifacts            json.Number           `json:"artifacts"`
	EmbeddedAttestations []EmbeddedAttestation `json:"embedded_attestations,omitempty"`
}

SourcePack represents a source pack in merged provenance.

Embedded attestations contain complete Sigstore bundles that receivers should verify with their own identity constraints using VerifyEmbeddedAttestations(). The merge operation validates cryptographic signatures but not signer identity, since the merge operator is untrusted from the receiver's perspective and identity policy is receiver-specific.

func (*SourcePack) Copy 

func (sp *SourcePack) Copy() SourcePack

Copy returns a deep copy of the source pack.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.