A client library for Sigstore, written in Go.
Features:
- Verification of Sigstore bundles compliant with Sigstore Client Spec
- Verification of raw Sigstore signatures by creating bundles for them (see conformance tests for example)
- Timestamp Authority (TSA) verification
- Rekor (Artifact Transparency Log) verificaton (offline or online)
- Structured verification results including certificate metadata
- TUF support
- Support for custom trusted root
- Basic CLI
Unsupported at this time:
- Signing
- KMS
For an example of how to use this library, see the verification documentation, the CLI cmd/sigstore-go, or the CLI examples below. Note that the CLI is to demonstrate how to use the library, and not intended as a fully-featured Sigstore CLI like cosign.
Sigstore already has a canonical Go client implementation, cosign, which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. sigstore-go
is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in sigstore/protobuf-specs. sigstore-go
attempts to minimize the dependency tree for simple verification tasks, omitting KMS support and container image verification, and we intend to refactor parts of cosign
to depend on sigstore-go
.
sigstore-go
is currently pre-1.0 and therefore does not guarantee a stable API. It does however pass the sigstore-conformance
verification test suite, and verification correctness is taken very seriously.
Documentation is found in the docs
subdirectory.
- Unix-compatible OS
- Go 1.21
You can use the CLI with go run
as in the below examples, or compile/install the sigstore-go
CLI:
$ make install
$ go run cmd/sigstore-go/main.go \
-artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
-artifact-digest-algorithm sha512 \
-expectedIssuer https://token.actions.githubusercontent.com \
-expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \
examples/bundle-provenance.json
Verification successful!
{
"version": 20230823,
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": ...
},
...
}
You can also specify a TUF root with something like -tufRootURL tuf-repo-cdn.sigstore.dev
.
Alternatively, you can install a binary of the CLI like so:
$ go install ./cmd/sigstore-go
$ sigstore-go ...
Tests are invoked using the standard Go testing framework. A helper exists in the Makefile also.
$ make test
This came from https://www.npmjs.com/package/sigstore/v/1.3.0/provenance, with the outermost "bundle" key stripped off.