9 releases (5 breaking)
| 0.6.3 | Feb 6, 2026 |
|---|---|
| 0.6.1 | Jan 26, 2026 |
| 0.6.0 | Dec 8, 2025 |
| 0.4.0 | Nov 28, 2025 |
#756 in Cryptography
460KB
7.5K
SLoC
Contains (Zip file, 2KB) signed-package-2.1.0-hb0f4dca_0.conda
sigstore-verify
Sigstore signature verification for sigstore-rust.
Overview
This crate provides high-level APIs for verifying Sigstore signatures. It handles the complete verification flow: bundle parsing, certificate chain validation, signature verification, transparency log verification, and identity policy enforcement.
Features
- Bundle verification: Verify standard Sigstore bundles
- Certificate validation: X.509 chain validation against Fulcio CA
- Transparency log verification: Checkpoint signatures, inclusion proofs, SETs
- Timestamp verification: RFC 3161 timestamp validation
- Identity policies: Verify signer identity claims (issuer, subject, etc.)
Verification Steps
- Parse and validate bundle structure
- Verify certificate chain against trusted root
- Verify signature over artifact
- Verify transparency log entry (checkpoint, inclusion proof, or SET)
- Verify timestamps if present
- Check identity against policy (optional)
Usage
use sigstore_verify::{verify, Verifier, VerificationPolicy};
use sigstore_trust_root::TrustedRoot;
use sigstore_types::{Artifact, Bundle, Sha256Hash};
let root = TrustedRoot::production()?;
let bundle: Bundle = serde_json::from_str(bundle_json)?;
let policy = VerificationPolicy::default();
// Verify with raw artifact bytes
let artifact_bytes = b"hello world";
let result = verify(artifact_bytes.as_slice(), &bundle, &policy, &root)?;
// Or verify with pre-computed SHA-256 digest (useful for large files)
let digest = Sha256Hash::from_hex("b94d27b9...")?;
let result = verify(digest, &bundle, &policy, &root)?;
// Using the Verifier struct directly
let verifier = Verifier::new(&root);
let result = verifier.verify(artifact_bytes.as_slice(), &bundle, &policy)?;
Verification Policies
use sigstore_verify::VerificationPolicy;
// Default policy (verify tlog, timestamps, and certificate chain)
let policy = VerificationPolicy::default();
// Require specific identity and issuer
let policy = VerificationPolicy::default()
.require_identity("user@example.com")
.require_issuer("https://accounts.google.com");
// Skip certain verifications (for testing only)
let policy = VerificationPolicy::default()
.skip_tlog()
.skip_certificate_chain();
Related Crates
sigstore-sign- Create signatures to verify with this crate
License
BSD-3-Clause
Dependencies
~99MB
~2.5M SLoC