sigstore-go

module

v0.3.0 Latest Latest Go to latest Published: Apr 10, 2024 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sigstore/sigstore-go

Links

Open Source Insights

README ¶

sigstore-go

A client library for Sigstore, written in Go.

Features:

Verification of Sigstore bundles compliant with Sigstore Client Spec
Verification of raw Sigstore signatures by creating bundles for them (see conformance tests for example)
Timestamp Authority (TSA) verification
Rekor (Artifact Transparency Log) verificaton (offline or online)
Structured verification results including certificate metadata
TUF support
Support for custom trusted root
Basic CLI

Unsupported at this time:

Signing
KMS

For an example of how to use this library, see the verification documentation, the CLI cmd/sigstore-go, or the CLI examples below. Note that the CLI is to demonstrate how to use the library, and not intended as a fully-featured Sigstore CLI like cosign.

Background

Sigstore already has a canonical Go client implementation, cosign, which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. sigstore-go is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in sigstore/protobuf-specs. sigstore-go attempts to minimize the dependency tree for simple verification tasks, omitting KMS support and container image verification, and we intend to refactor parts of cosign to depend on sigstore-go.

Status

sigstore-go is currently pre-1.0 and therefore does not guarantee a stable API. It does however pass the sigstore-conformance verification test suite, and verification correctness is taken very seriously.

Documentation

Documentation is found in the docs subdirectory.

Requirements

Unix-compatible OS
Go 1.21

Installation

You can use the CLI with go run as in the below examples, or compile/install the sigstore-go CLI:

$ make install

Examples

$ go run cmd/sigstore-go/main.go \
  -artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
  -artifact-digest-algorithm sha512 \
  -expectedIssuer https://token.actions.githubusercontent.com \
  -expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \
  examples/bundle-provenance.json
Verification successful!
{
   "version": 20230823,
   "statement": {
      "_type": "https://in-toto.io/Statement/v0.1",
      "predicateType": "https://slsa.dev/provenance/v0.2",
      "subject": ...
    },
    ...
}

You can also specify a TUF root with something like -tufRootURL tuf-repo-cdn.sigstore.dev.

Alternatively, you can install a binary of the CLI like so:

$ go install ./cmd/sigstore-go
$ sigstore-go ...

Testing

Tests are invoked using the standard Go testing framework. A helper exists in the Makefile also.

$ make test

Example bundles

examples/bundle-provenance.json

This came from https://www.npmjs.com/package/sigstore/v/1.3.0/provenance, with the outermost "bundle" key stripped off.

Support

Bug reports are welcome via issues and questions are welcome via discussion. Please refer to SUPPORT.md for details. This project is provided as-is.

Directories ¶

Path	Synopsis
cmd
conformance
sigstore-go
examples
oci-image-verification Module
pkg
bundle
fulcio/certificate
root
testing/ca
testing/data
tlog
tuf
verify

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL