Skip to content

Go library for Sigstore signing and verification

License

Notifications You must be signed in to change notification settings

cmurphy/sigstore-go

 
 

Repository files navigation

sigstore-go

A client library for Sigstore, written in Go.

Go Reference Go Report Card e2e-tests

Features:

  • Verification of Sigstore bundles compliant with Sigstore Client Spec
  • Verification of raw Sigstore signatures by creating bundles for them (see conformance tests for example)
  • Timestamp Authority (TSA) verification
  • Rekor (Artifact Transparency Log) verificaton (offline or online)
  • Structured verification results including certificate metadata
  • TUF support
  • Support for custom trusted root
  • Basic CLI

Unsupported at this time:

  • Signing
  • KMS

For an example of how to use this library, see the verification documentation, the CLI cmd/sigstore-go, or the CLI examples below. Note that the CLI is to demonstrate how to use the library, and not intended as a fully-featured Sigstore CLI like cosign.

Background

Sigstore already has a canonical Go client implementation, cosign, which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. sigstore-go is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in sigstore/protobuf-specs. sigstore-go attempts to minimize the dependency tree for simple verification tasks, omitting KMS support and container image verification, and we intend to refactor parts of cosign to depend on sigstore-go.

Status

sigstore-go is currently pre-1.0 and therefore does not guarantee a stable API. It does however pass the sigstore-conformance verification test suite, and verification correctness is taken very seriously.

Documentation

Documentation is found in the docs subdirectory.

Requirements

Installation

You can use the CLI with go run as in the below examples, or compile/install the sigstore-go CLI:

$ make install

Examples

$ go run cmd/sigstore-go/main.go \
  -artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
  -artifact-digest-algorithm sha512 \
  -expectedIssuer https://token.actions.githubusercontent.com \
  -expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \
  examples/bundle-provenance.json
Verification successful!
{
   "version": 20230823,
   "statement": {
      "_type": "https://in-toto.io/Statement/v0.1",
      "predicateType": "https://slsa.dev/provenance/v0.2",
      "subject": ...
    },
    ...
}

You can also specify a TUF root with something like -tufRootURL tuf-repo-cdn.sigstore.dev.

Alternatively, you can install a binary of the CLI like so:

$ go install ./cmd/sigstore-go
$ sigstore-go ...

Testing

Tests are invoked using the standard Go testing framework. A helper exists in the Makefile also.

$ make test

Example bundles

examples/bundle-provenance.json

This came from https://www.npmjs.com/package/sigstore/v/1.3.0/provenance, with the outermost "bundle" key stripped off.

Support