Awesome

sigstore-go

A client library for Sigstore, written in Go.

Features:

• Signing and verification of Sigstore bundles compliant with Sigstore Client Spec
• Verification of raw Sigstore signatures by creating bundles for them (see conformance tests for example)
• Signing and verifying with a Timestamp Authority (TSA)
• Signing and verifying (offline or online) with Rekor (Artifact Transparency Log)
• Structured verification results including certificate metadata
• TUF support
• Verification support for custom trusted root
• Basic CLI and examples

There is not built-in support for signing with a KMS or other bring-your-own-key; however you can easily add support by implementing your own version of the interface pkg/sign/keys.go:Keypair.

For an example of how to use this library, see the verification documentation, the CLI cmd/sigstore-go, or the CLI examples below. Note that the CLI is to demonstrate how to use the library, and not intended as a fully-featured Sigstore CLI like cosign.

Background

Sigstore already has a canonical Go client implementation, cosign, which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. sigstore-go is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in sigstore/protobuf-specs. sigstore-go attempts to minimize the dependency tree for simple signing and verification tasks, omitting KMS support and container image verification, and we intend to refactor parts of cosign to depend on sigstore-go.

Status

sigstore-go is currently beta, and may have minor API changes before the 1.0.0 release. It does however pass the sigstore-conformance signing and verification test suite, and correctness is taken very seriously.

Documentation

Documentation is found in the docs subdirectory.

Requirements

Tested with:

• Unix-compatible OS and Windows
• Go 1.23

Note that we do not provide built versions of this library, but you can see what architectures your version of go supports with go tool dist list.

Installation

You can use the CLI with go run as in the below examples, or compile/install the sigstore-go CLI:

$ make install

Examples

$ go run cmd/sigstore-go/main.go \
  -artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
  -artifact-digest-algorithm sha512 \
  -expectedIssuer https://token.actions.githubusercontent.com \
  -expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \
  examples/bundle-provenance.json
Verification successful!
{
   "version": 20230823,
   "statement": {
      "_type": "https://in-toto.io/Statement/v0.1",
      "predicateType": "https://slsa.dev/provenance/v0.2",
      "subject": ...
    },
    ...
}

You can also specify a TUF root with something like -tufRootURL tuf-repo-cdn.sigstore.dev.

Alternatively, you can install a binary of the CLI like so:

$ go install ./cmd/sigstore-go
$ sigstore-go ...

Testing

Tests are invoked using the standard Go testing framework. A helper exists in the Makefile also.

$ make test

Example bundles

examples/bundle-provenance.json

This came from https://www.npmjs.com/package/sigstore/v/1.3.0/provenance, with the outermost "bundle" key stripped off.

Support

Bug reports are welcome via issues and questions are welcome via discussion. Please refer to SUPPORT.md for details. This project is provided as-is.