dZddlmZddlmZddlmZddlmZddlmZejejjejjejjGddejZy ) z5The base surface for Binary Authorization signatures.)absolute_import)division)unicode_literals)base) propertiesc.eZdZdZej ZdZy)Binauthza^ Manage attestations for Binary Authorization on Google Cloud Platform. Binary Authorization is a feature which allows binaries to run on Google Cloud Platform only if they are appropriately attested. Binary Authorization is configured by creating a policy. ## EXAMPLES This example assumes that you have created a keypair using gpg, usually by running `gpg --gen-key ...`, with `Name-Email` set to `attesting_user@example.com` for your attestor. First, some convenience variables for brevity: ```sh ATTESTING_USER="attesting_user@example.com" DIGEST="000000000000000000000000000000000000000000000000000000000000abcd" ARTIFACT_URL="gcr.io/example-project/example-image@sha256:${DIGEST}" ATTESTOR_NAME="projects/example-project/attestors/canary" ``` Export your key's fingerprint (note this may differ based on version and implementations of gpg): ```sh gpg \ --with-colons \ --with-fingerprint \ --force-v4-certs \ --list-keys \ "${ATTESTING_USER}" | grep fpr | cut --delimiter=':' --fields 10 ``` This should produce a 40 character, hexidecimal encoded string. See https://tools.ietf.org/html/rfc4880#section-12.2 for more information on key fingerprints. Create your attestation payload: ```sh {command} create-signature-payload \ --artifact-url="${ARTIFACT_URL}" \ > example_payload.txt ``` Create a signature from your attestation payload: ```sh gpg \ --local-user "${ATTESTING_USER}" \ --armor \ --clearsign \ --output example_signature.pgp \ example_payload.txt ``` Upload the attestation: ```sh {command} attestations create \ --public-key-id=${KEY_FINGERPRINT} \ --signature-file=example_signature.pgp \ --artifact-url="${ARTIFACT_URL}" \ --attestor=${ATTESTOR_NAME} ``` List the attestation by artifact URL. `--format` can be passed to output the attestations as json or another supported format: ```sh {command} attestations list \ --artifact-url="${ARTIFACT_URL}" \ --format=yaml --- - | -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 ... SNIP ... -----END PGP PUBLIC KEY BLOCK----- - | -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ... SNIP ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 ... SNIP ... -----END PGP SIGNATURE----- ``` List all artifact URLs on the project for which Container Analysis Occurrences exist. This list includes the list of all URLs with BinAuthz attestations: ```sh {command} attestations list --- https://gcr.io/example-project/example-image@sha256:000000000000000000000000000000000000000000000000000000000000abcd ... ``` Listing also works for kind=ATTESTATION_AUTHORITY attestations, just pass the attestor: ```sh {command} attestations list \ --artifact-url="${ARTIFACT_URL}" \ --attestor=${ATTESTOR_NAME} \ --format=yaml ... ``` ctj|tjjj j tjjj|S)zSee base class.)rRequireProjectIDrVALUESbilling quota_projectSetCURRENT_PROJECT)selfcontextargss *lib/surface/container/binauthz/__init__.pyFilterzBinauthz.FiltersJ$++//!!113 NN)__name__ __module__ __qualname____doc__rCOMPUTE_CATEGORYcategoryrrrr r sqf " "(rr N)r __future__rrrgooglecloudsdk.calliopergooglecloudsdk.corer ReleaseTracks ReleaseTrackALPHABETAGAGroupr rrrr'su<&'(*T..33T5F5F5I5IK|tzz|K|r