Lib.rs

FilesystemSigstore
#merkle-tree #verification #sigstore #verify-proof #rfc #proof-verification #sha-256 #root-hash

sigstore-merkle

RFC 6962 Merkle tree verification for Sigstore

Owned by Wolf Vollprecht, Bas Zalmstra.

11 releases (5 breaking)

new 0.6.4 Mar 6, 2026
0.6.1 Jan 26, 2026
0.6.0 Dec 8, 2025
0.4.0 Nov 28, 2025

#1500 in Filesystem

Download history 3/week @ 2025-11-21 60/week @ 2025-11-28 93/week @ 2025-12-05 304/week @ 2025-12-12 107/week @ 2025-12-19 195/week @ 2025-12-26 268/week @ 2026-01-02 386/week @ 2026-01-09 541/week @ 2026-01-16 381/week @ 2026-01-23 685/week @ 2026-01-30 907/week @ 2026-02-06 1614/week @ 2026-02-13 4026/week @ 2026-02-20 4567/week @ 2026-02-27

11,226 downloads per month
Used in 12 crates (4 directly)

Apache-2.0

140KB
2.5K SLoC

sigstore-merkle

RFC 6962 Merkle tree verification for sigstore-rust.

Overview

This crate implements Merkle tree operations as specified in RFC 6962 (Certificate Transparency). It provides inclusion proof verification for transparency logs like Rekor.

Features

  • Inclusion proof verification: Verify that an entry exists in a Merkle tree
  • Hash chaining: RFC 6962 compliant hash computation for tree nodes
  • Proof path validation: Verify proof paths against known root hashes

Usage

use sigstore_merkle::verify_inclusion;
use sigstore_types::Sha256Hash;

// Verify an inclusion proof
verify_inclusion(
    leaf_index,
    tree_size,
    &proof_hashes,
    &root_hash,
    &leaf_hash,
)?;

Background

Merkle trees in transparency logs allow clients to verify that:

  1. A specific entry exists in the log (inclusion proof)
  2. The log is append-only and consistent (consistency proof)

This crate focuses on inclusion proof verification, which is the primary operation needed for Sigstore bundle verification.

Used by:

License

BSD-3-Clause

Dependencies

~71MB
~2M SLoC