#download #demo #version #directory

sigstore

An experimental crate to interact with sigstore

9 unstable releases (3 breaking)

0.6.0 Nov 24, 2022
0.5.3 Oct 21, 2022
0.4.0 Sep 1, 2022
0.3.3 Aug 9, 2022
0.1.0 Aug 19, 2021

#99 in Testing

Download history 467/week @ 2022-11-27 372/week @ 2022-12-04 465/week @ 2022-12-11 696/week @ 2022-12-18 53/week @ 2022-12-25 372/week @ 2023-01-01 677/week @ 2023-01-08 1049/week @ 2023-01-15 641/week @ 2023-01-22 294/week @ 2023-01-29 551/week @ 2023-02-05 184/week @ 2023-02-12 591/week @ 2023-02-19 1198/week @ 2023-02-26 921/week @ 2023-03-05 854/week @ 2023-03-12

3,571 downloads per month
Used in 2 crates

Apache-2.0

445KB
8K SLoC

Continuous integration Docs License Crate version Crate downloads
Continuous integration Docs License: Apache 2.0 Crate version Crate downloads

This is an experimental crate to interact with sigstore.

This is under high development, many features and checks are still missing.

Features

CosignVerification

The crate implements the following verification mechanisms:

  • Verify using a given key
  • Verify bundle produced by transparency log (Rekor)
  • Verify signature produced in keyless mode, using Fulcio Web-PKI

Signature annotations and certificate email can be provided at verification time.

OpenID Connect

For use with Fulcio ephemeral key signing, an OpenID connect API is available.

Rekor Client

All of the rekor client APIs can be leveraged.

Key Interface

The crate implements the following key interfaces:

  • Generate a key pair
  • Sign data
  • Verify signature
  • Export public / (encrypted) private key in PEM / DER format
  • Import public / (encrypted) private key in PEM / DER format

Known limitations

  • The crate does not handle verification of attestations yet or perform OIC container signing operations.

Examples

The examples directory contains demo programs using the library.

Each example can be executed with the cargo run --example <name> command.

For example, the openidconnect example can be run with the following command:

cargo run --example openidconnect

Security

Should you discover any security issues, please refer to sigstores security process

Dependencies

~29–39MB
~837K SLoC