2 releases

new 0.3.2 Jun 23, 2022
0.3.1 May 26, 2022
0.1.0 Aug 19, 2021

46 downloads per month

Apache-2.0

210KB
3.5K SLoC

Continuous integration Docs License
Continuous integration Docs License: Apache 2.0

This is an experimental crate to interact with sigstore.

This is under high development, many features and checks are still missing.

Features

Verification

The crate implements the following verification mechanisms:

  • Verify using a given key
  • Verify bundle produced by transparency log (Rekor)
  • Verify signature produced in keyless mode, using Fulcio Web-PKI

Signature annotations and certificate email can be provided at verification time.

Known limitations

  • The crate does not handle verification of attestations yet.

Examples

The examples directory contains demo programs using the library.

Security

Should you discover any security issues, please refer to sigstores security process

Dependencies

~24–34MB
~724K SLoC