sigstore / sigstore-go

Go library for Sigstore signing and verification
Apache License 2.0
49 stars 26 forks source link
go golang sigstore

sigstore-go

A client library for Sigstore, written in Go.

Go Reference Go Report Card e2e-tests

Features:

There is not built-in support for signing with a KMS or other bring-your-own-key; however you can easily add support by implementing your own version of the interface pkg/sign/keys.go:Keypair.

For an example of how to use this library, see the verification documentation, the CLI cmd/sigstore-go, or the CLI examples below. Note that the CLI is to demonstrate how to use the library, and not intended as a fully-featured Sigstore CLI like cosign.

Background

Sigstore already has a canonical Go client implementation, cosign, which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. sigstore-go is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in sigstore/protobuf-specs. sigstore-go attempts to minimize the dependency tree for simple signing and verification tasks, omitting KMS support and container image verification, and we intend to refactor parts of cosign to depend on sigstore-go.

Status

sigstore-go is currently beta, and may have minor API changes before the 1.0.0 release. It does however pass the sigstore-conformance signing and verification test suite, and correctness is taken very seriously.

Documentation

Documentation is found in the docs subdirectory.

Requirements

Tested with:

Note that we do not provide built versions of this library, but you can see what architectures your version of go supports with go tool dist list.

Installation

You can use the CLI with go run as in the below examples, or compile/install the sigstore-go CLI:

$ make install

Examples

$ go run cmd/sigstore-go/main.go \
  -artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
  -artifact-digest-algorithm sha512 \
  -expectedIssuer https://token.actions.githubusercontent.com \
  -expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \
  examples/bundle-provenance.json
Verification successful!
{
   "version": 20230823,
   "statement": {
      "_type": "https://in-toto.io/Statement/v0.1",
      "predicateType": "https://slsa.dev/provenance/v0.2",
      "subject": ...
    },
    ...
}

You can also specify a TUF root with something like -tufRootURL tuf-repo-cdn.sigstore.dev.

Alternatively, you can install a binary of the CLI like so:

$ go install ./cmd/sigstore-go
$ sigstore-go ...

Testing

Tests are invoked using the standard Go testing framework. A helper exists in the Makefile also.

$ make test

Example bundles

examples/bundle-provenance.json

This came from https://www.npmjs.com/package/sigstore/v/1.3.0/provenance, with the outermost "bundle" key stripped off.

Support

Bug reports are welcome via issues and questions are welcome via discussion. Please refer to SUPPORT.md for details. This project is provided as-is.