A client library for Sigstore, written in Go.
Features:
- Signing and verification of Sigstore bundles compliant with Sigstore Client Spec
- Verification of raw Sigstore signatures by creating bundles for them (see conformance tests for example)
- Signing and verifying with a Timestamp Authority (TSA)
- Signing and verifying (offline or online) with Rekor (Artifact Transparency Log)
- Structured verification results including certificate metadata
- TUF support
- Verification support for custom trusted root
- Basic CLI and examples
There is not built-in support for signing with a KMS or other bring-your-own-key; however you can easily add support by implementing your own version of the interface pkg/sign/keys.go:Keypair
.
For an example of how to use this library, see the verification documentation, the CLI cmd/sigstore-go, or the CLI examples below. Note that the CLI is to demonstrate how to use the library, and not intended as a fully-featured Sigstore CLI like cosign.
Sigstore already has a canonical Go client implementation, cosign, which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. sigstore-go
is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in sigstore/protobuf-specs. sigstore-go
attempts to minimize the dependency tree for simple signing and verification tasks, omitting KMS support and container image verification, and we intend to refactor parts of cosign
to depend on sigstore-go
.
sigstore-go
is currently beta, and may have minor API changes before the 1.0.0 release. It does however pass the sigstore-conformance
signing and verification test suite, and correctness is taken very seriously.
Documentation is found in the docs
subdirectory.
Tested with:
- Unix-compatible OS and Windows
- Go 1.23
Note that we do not provide built versions of this library, but you can see what architectures your version of go
supports with go tool dist list
.
You can use the CLI with go run
as in the below examples, or compile/install the sigstore-go
CLI:
$ make install
$ go run cmd/sigstore-go/main.go \
-artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
-artifact-digest-algorithm sha512 \
-expectedIssuer https://token.actions.githubusercontent.com \
-expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \
examples/bundle-provenance.json
Verification successful!
{
"version": 20230823,
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": ...
},
...
}
You can also specify a TUF root with something like -tufRootURL tuf-repo-cdn.sigstore.dev
.
Alternatively, you can install a binary of the CLI like so:
$ go install ./cmd/sigstore-go
$ sigstore-go ...
Tests are invoked using the standard Go testing framework. A helper exists in the Makefile also.
$ make test
This came from https://www.npmjs.com/package/sigstore/v/1.3.0/provenance, with the outermost "bundle" key stripped off.
Bug reports are welcome via issues and questions are welcome via discussion. Please refer to SUPPORT.md for details. This project is provided as-is.