#key #logging #public-key #specifications #signature #api #verify #cert #log #sigstore


An experimental crate to interact with sigstore

12 unstable releases (4 breaking)

0.7.2 Jul 7, 2023
0.7.0 May 30, 2023
0.6.0 Nov 24, 2022
0.3.2 Jun 23, 2022
0.1.0 Aug 19, 2021

#240 in Cryptography

Download history 526/week @ 2023-08-09 251/week @ 2023-08-16 735/week @ 2023-08-23 757/week @ 2023-08-30 689/week @ 2023-09-06 452/week @ 2023-09-13 417/week @ 2023-09-20 424/week @ 2023-09-27 625/week @ 2023-10-04 767/week @ 2023-10-11 444/week @ 2023-10-18 792/week @ 2023-10-25 814/week @ 2023-11-01 501/week @ 2023-11-08 741/week @ 2023-11-15 1308/week @ 2023-11-22

3,485 downloads per month
Used in 2 crates



Continuous integration Docs License Crate version Crate downloads
Continuous integration Docs License: Apache 2.0 Crate version Crate downloads

A crate to interact with sigstore.

This crate is under active development and will not be considered stable until the 1.0 release.


Cosign Sign and Verify

The crate implements the following verification mechanisms:

  • Sign using a cosign key and store the signature in a registry
  • Verify using a given key
  • Verify bundle produced by transparency log (Rekor)
  • Verify signature produced in keyless mode, using Fulcio Web-PKI

Signature annotations and certificate email can be provided at verification time.

Fulcio Integration

For use with Fulcio ephemeral key signing, an OpenID connect API is available, along with a fulcio client implementation.

Rekor Client

All rekor client APIs can be leveraged to interact with the transparency log.

Key Interface

Cryptographic key management with the following key interfaces:

  • Generate a key pair
  • Sign data
  • Verify signature
  • Export public / (encrypted) private key in PEM / DER format
  • Import public / (encrypted) private key in PEM / DER format

Known limitations

  • The crate does not handle verification of attestations yet.


The examples directory contains demo programs using the library.

Each example can be executed with the cargo run --example <name> command.

For example, openidconnect can be run with the following command:

cargo run --example openidconnect

WebAssembly/WASM support

To embedded this crate in WASM modules, build it using the wasm cargo feature:

cargo build --no-default-features --features wasm --target wasm32-unknown-unknown

NOTE: The wasm32-wasi target architecture is not yet supported.


Contributions are welcome! Please see the contributing guidelines for more information.


Should you discover any security issues, please refer to sigstores security process


~567K SLoC