- libc6 (>= 2.34)
A client library for Sigstore (https://www.sigstore.dev/), written in
Go. Features:
.
* Signing and verification of Sigstore bundles
(https://github.com/sigstore/protobuf-
specs/blob/main/protos/sigstore_bundle.proto) compliant with Sigstore
Client Spec
* Verification of raw Sigstore signatures by creating bundles for them
(see conformance tests (/cmd/conformance/main.go) for example)
* Signing and verifying with a Timestamp Authority (TSA)
* Signing and verifying (offline or online) with Rekor (Artifact
Transparency Log)
* Structured verification results including certificate metadata
* TUF support
* Verification support for custom trusted root
(https://github.com/sigstore/protobuf-
specs/blob/main/protos/sigstore_trustroot.proto)
* Basic CLI and examples
.
For an example of how to use this library, see the verification
documentation (/docs/verification.md), the CLI cmd/sigstore-go
(/cmd/sigstore-go/main.go). Note that the CLI
is to demonstrate how to use the library, and not intended as a fully-
featured Sigstore CLI like cosign (https://github.com/sigstore/cosign).
.
Background
.
Sigstore already has a canonical Go client implementation, cosign
(https://github.com/sigstore/cosign), which was developed with a focus
on container image signing/verification. It has a rich CLI and a long
legacy of features and development. sigstore-go is a more minimal and
friendly API for integrating Go code with Sigstore, with a focus on the
newly specified data structures in sigstore/protobuf-specs
(https://github.com/sigstore/protobuf-specs). sigstore-go attempts to
minimize the dependency tree for simple signing and verification tasks,
omitting KMS support and container image verification.
.
This package contains the binaries.
Installed Size: 42.6 MB
Architectures: amd64 arm64