Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 514 Commits
.github		.github
docs		docs
examples		examples
pkg		pkg
test		test
.gitignore		.gitignore
.golangci.yaml		.golangci.yaml
CODEOWNERS		CODEOWNERS
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
COPYRIGHT.txt		COPYRIGHT.txt
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
SUPPORT.md		SUPPORT.md
go.mod		go.mod
go.sum		go.sum

Repository files navigation

sigstore-go

A client library forSigstore, written in Go.

Features:

Signing and verification ofSigstore bundles compliant with Sigstore Client Spec
Verification of raw Sigstore signatures by creating bundles for them (seeconformance tests for example)
Signing and verifying with a Timestamp Authority (TSA)
Signing and verifying with Rekor (Artifact Transparency Log)
Structured verification results including certificate metadata
TUF support for fetching trusted root certificates and log keys
Verification support for customtrusted root
Examples for signing and verifying artifacts

There is not built-in support for signing with a KMS or other bring-your-own-key; however you can easily add support by implementing your own version of the interfacepkg/sign/keys.go:Keypair.

Background

Sigstore already has a canonical Go client implementation,cosign, which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development.sigstore-go is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures insigstore/protobuf-specs.sigstore-go attempts to minimize the dependency tree for simple signing and verification tasks, omitting KMS support and container image verification, and we intend to refactor parts ofcosign to depend onsigstore-go.