- Notifications
You must be signed in to change notification settings - Fork29
Go library for Sigstore signing and verification
License
sigstore/sigstore-go
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A client library forSigstore, written in Go.
Features:
- Signing and verification ofSigstore bundles compliant with Sigstore Client Spec
- Verification of raw Sigstore signatures by creating bundles for them (seeconformance tests for example)
- Signing and verifying with a Timestamp Authority (TSA)
- Signing and verifying (offline or online) with Rekor (Artifact Transparency Log)
- Structured verification results including certificate metadata
- TUF support
- Verification support for customtrusted root
- Examples for signing and verifying artifacts
There is not built-in support for signing with a KMS or other bring-your-own-key; however you can easily add support by implementing your own version of the interfacepkg/sign/keys.go:Keypair.
Sigstore already has a canonical Go client implementation,cosign, which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development.sigstore-go is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures insigstore/protobuf-specs.sigstore-go attempts to minimize the dependency tree for simple signing and verification tasks, omitting KMS support and container image verification, and we intend to refactor parts ofcosign to depend onsigstore-go.
sigstore-go is currently beta, and may have minor API changes before the 1.0.0 release. It does however pass thesigstore-conformance signing and verification test suite, and correctness is taken very seriously.
Documentation is found in thedocs subdirectory and onpkg.go.dev.
See theexamples directory for examples of how to use this library.
Note that the CLI examples are to demonstrate how to use the library, and not intended as a fully-featured Sigstore CLI likecosign.
Tested with:
- Unix-compatible OS and Windows
- Go 1.23
Note that we do not provide built versions of this library, but you can see what architectures your version ofgo supports withgo tool dist list.
Tests are invoked using the standard Go testing framework. A helper exists in the Makefile also.
$ maketestThis came fromhttps://www.npmjs.com/package/sigstore/v/1.3.0/provenance, with the outermost "bundle" key stripped off.
Bug reports are welcome via issues and questions are welcome via discussion. Please refer toSUPPORT.md for details.This project is provided as-is.
About
Go library for Sigstore signing and verification