Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 1,639 Commits
.github		.github
.idea		.idea
build-logic-commons		build-logic-commons
build-logic		build-logic
config		config
examples		examples
fuzzing		fuzzing
gradle/wrapper		gradle/wrapper
sandbox		sandbox
scripts		scripts
sigstore-cli		sigstore-cli
sigstore-gradle		sigstore-gradle
sigstore-java		sigstore-java
sigstore-maven-plugin		sigstore-maven-plugin
sigstore-testkit		sigstore-testkit
tuf-cli		tuf-cli
.editorconfig		.editorconfig
.gitattributes		.gitattributes
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
DEVELOPMENT.md		DEVELOPMENT.md
LICENSE		LICENSE
README.md		README.md
RELEASING.md		RELEASING.md
build.gradle.kts		build.gradle.kts
gradle.properties		gradle.properties
gradlew		gradlew
gradlew.bat		gradlew.bat
renovate.json		renovate.json
settings.gradle.kts		settings.gradle.kts

Repository files navigation

sigstore-java

A sigstore java client for interacting with sigstore infrastructure

You can fileissues directly on this project orif you have any questions message us on thesigstore#javaslack channel

Minimum Requirements

Java 11

Usage

Build plugins

For use directly with your java build. Seemaven orgradlebuild plugin specifics.

Keyless Signing And Verification

Signing

PathtestArtifact =Paths.get("path/to/my/file.jar")// sign using the sigstore public instancevarsigner =KeylessSigner.builder().sigstorePublicDefaults().build();Bundleresult =signer.signFile(testArtifact);// sigstore bundle format (serialized as <artifact>.sigstore.json)StringbundleJson =result.toJson();

Verification

Get artifact and bundle

Pathartifact =Paths.get("path/to/my-artifact");// import a json formatted sigstore bundlePathbundleFile =Paths.get("path/to/my-artifact.sigstore.json");Bundlebundle =Bundle.from(bundleFile,StandardCharsets.UTF_8);

Configure verification options

// add certificate policy to verify the identity of the signerVerificationOptionsoptions =VerificationOptions.builder().addCertificateMatchers(CertificateMatcher.fulcio()    .subjectAlternativeName(StringMatcher.string("test@example.com"))    .issuer(StringMatcher.string("https://accounts.example.com"))    .build());

Do verification

try {// verify using the sigstore public instancevarverifier =newKeylessVerifier.builder().sigstorePublicDefaults().build();verifier.verify(artifact,bundle,verificationOptions);// verification passed!}catch (KeylessVerificationExceptione) {// verification failed}

Verifying DSSE Bundles

sigstore-java doesn't create DSSE bundles yet, but it can verify the signatures over them with the sameKeylessVerifier workflow detailed above. While sigstore-java inspects theembedded payloadto ensure the provided artifact is a subject in thein-toto statementit is not able to make any further assertions about the payload. Consumers of DSSE bundles should inspectthe embedded payload to verify extended attestation data using tools likeslsa-verifier.

Exploring the API

The public stable API is limited todev.sigstore.KeylessSigner anddev.sigstore.KeylessVerifier and the classes exposed by those APIs. Other classes in the library are subject to change without notice.

You can browse Javadoc athttps://javadoc.io/doc/dev.sigstore/sigstore-java.

To build and view javadoc from the sources, use the following command:

$ ./gradlew javadoc$"my-favorite-browser" ./sigstore-java/build/docs/javadoc/index.html

Distribution

Sigstore Java and Sigstore Maven Plugin are signed with both PGP and sigstore.

PGP

Version Range	Key Id
1.X.X	AC74A3385D0E3252
2.X.X	00E008229F5DAF37

Sigstore

Version Range	Issuer	Signer Id
1.0.0 - 2.X.X	https://token.actions.githubusercontent.com	https://github.com/sigstore/sigstore-java/.github/workflows/release-sigstore-java-from-tag.yaml@refs/tags/X.X.X