merging main.

Signed-off-by: hayleycd <[email protected]>
sigstore · Nov 8, 2024 · 9b5f721 · 9b5f721
2 parents 67ad22c + f1c041f
commit 9b5f721
Show file tree

Hide file tree

Showing 9 changed files with 228 additions and 6 deletions.
diff --git a/content/en/cosign/system_config/custom_components.md b/content/en/cosign/system_config/custom_components.md
@@ -9,13 +9,15 @@ This page contains instructions on how to configure Cosign to work with alternat
 
 Verifying keyless signatures require verifying signatures from Rekor, material (SCTs) from the CT log, and certificates that chain up to Fulcio. The public keys and root certificates for these components are distributed through [TUF](https://theupdateframework.io/) repositories. By default, Cosign uses a TUF client that has an initial trust in an embedded root and then fetches updated verification material from our public-good-instance TUF repository created on the [root-signing](https://github.com/sigstore/root-signing) GitHub repository. 
 
-There are three options to configure Cosign to verify against custom components:
+There are several options to configure Cosign to verify against custom components:
 
 1. Use [scaffolding](https://github.com/sigstore/scaffolding) to create a custom Sigstore stack. This provides a TUF root distributing verification material for the custom components, and pre-configured Cosign with the trust root.
 
 2. Create a TUF repository yourself, using [go-tuf](https://github.com/theupdateframework/go-tuf) or [python-tuf](https://github.com/theupdateframework/python-tuf)'s repository writers. Instructions for how to configure this root is in this [blog post](https://blog.sigstore.dev/sigstore-bring-your-own-stuf-with-tuf-40febfd2badd). This [script](https://gist.github.com/asraa/947f1a38afd03af57c7b71d893c36af0) can be used to create a TUF repository from the custom Fulcio, Rekor, and CT log verification material.
 
-3. As a last resort, you may also use the following environment variables to configure custom keys out of band.
+3. TUF is recommended because it makes it easy to distribute up-to-date key material to clients. However, if you aren't using TUF, you can manually assemble trusted key material into a trusted root file with `cosign trusted-root create ...`. You can then supply that trusted root file to `cosign verify` commands with `--trusted-root`.
+
+4. As a last resort, you may also use the following environment variables to configure custom keys out of band.
 
 | Env Variable      | Description |
 | ---------- | ------------------- |

diff --git a/content/en/cosign/verifying/verify.md b/content/en/cosign/verifying/verify.md
@@ -248,6 +248,12 @@ You can override the public good instance CA using the environment variable `SIG
 export SIGSTORE_ROOT_FILE="/home/jdoe/myrootCA.pem"
 ```
 
+## New bundle format coming soon
+
+There's a new bundle format using [bundle protobuf-specs](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) that has a number of advantages over the previous bundle format: it supports offline verification, and includes additional information (like signed timestamps and attestations) in a single file.
+
+You can take existing signed material and make a new protobuf bundle with `cosign bundle create ...`.
+
 ## Experimental Features
 
 ### Verify a signature was added to the transparency log

diff --git a/content/en/language_clients/go/_index.html b/content/en/language_clients/go/_index.html
@@ -0,0 +1,11 @@
+---
+type: docs
+title: "Go"
+description: "Go Language Client"
+lead: "Go Language Client"
+date: 2024-10-06T08:49:15+00:00
+lastmod: 2024-10-06T08:49:15+00:00
+draft: false
+images: []
+weight: 60
+---
diff --git a/content/en/language_clients/go/overview.md b/content/en/language_clients/go/overview.md
@@ -0,0 +1,75 @@
+---
+type: docs
+category: Go
+title: Go Client Overview
+weight: 5
+---
+
+[`sigstore-go`](https://pkg.go.dev/github.com/sigstore/sigstore-go) is the Go language client library for Sigstore.
+
+`sigstore-go` is intended as a minimal dependency library for signing and verifying. It's not intended to replace [cosign](../../cosign/signing/overview.md), which provides a CLI with many features for interacting with Sigstore. Over time, `cosign` will use `sigstore-go` for verification.
+
+- Friendly API for integrating Go code with Sigstore
+- Smaller dependency tree
+- Focuses on newly specified data structures in [sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs)
+- Perfect for simple signing and verififcation tasks
+
+`sigstore-go` is currently in beta.
+
+## Features
+
+- Signing and verification of [Sigstore bundles](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto)
+- Verification of raw Sigstore signatures
+- Signing and verifying with a Timestamp Authority (TSA)
+- Online and offline signing and verifying with Rekor (Artifact Transparency Log)
+- Structured verification results including certificate metadata
+- TUF support
+- Verification support for custom [trusted root](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto)
+- Basic CLI
+
+## Installation
+
+### Main CLI installation
+
+`sigstore-go` requires Go 1.21 or greater. The package is tested with Go 1.23.
+
+To compile/install the CLI, clone [`sigstore-go`](https://github.com/sigstore/sigstore-go) and run.
+
+```console
+make install
+```
+
+Alternatively, you can use `go run cmd/sigstore-go/main.go` to access the CLI, as show in the [example](#cli-example).
+
+## Example
+
+### CLI example
+
+The following is an example of using the sigstore-go CLI to verify a signature.
+
+```console
+go run cmd/sigstore-go/main.go \
+  -artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
+  -artifact-digest-algorithm sha512 \
+  -expectedIssuer https://token.actions.githubusercontent.com \
+  -expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \
+  examples/bundle-provenance.json
+Verification successful!
+{
+   "version": 20230823,
+   "statement": {
+      "_type": "https://in-toto.io/Statement/v0.1",
+      "predicateType": "https://slsa.dev/provenance/v0.2",
+      "subject": ...
+    },
+    ...
+}
+```
+
+### Additional examples
+
+Additional examples are available in the [project documentation](https://github.com/sigstore/sigstore-go#sigstore-go).
+
+- [Signing example](https://github.com/sigstore/sigstore-go/blob/main/docs/signing.md#examples)
+- [Verifying example](https://github.com/sigstore/sigstore-go/blob/main/docs/verification.md#verification-using-sigstore-go)
+- [OCI image verifying example](https://github.com/sigstore/sigstore-go/blob/main/docs/oci-image-verification.md#example-of-oci-image-verification-using-sigstore-go)
diff --git a/content/en/language_clients/javascript/_index.html b/content/en/language_clients/javascript/_index.html
@@ -0,0 +1,11 @@
+---
+type: docs
+title: "JavaScript"
+description: "JavaScript Language Client"
+lead: "JavaScript Language Client"
+date: 2024-10-06T08:49:15+00:00
+lastmod: 2024-10-06T08:49:15+00:00
+draft: false
+images: []
+weight: 40
+---
diff --git a/content/en/language_clients/javascript/overview.md b/content/en/language_clients/javascript/overview.md
@@ -0,0 +1,71 @@
+---
+type: docs
+category: JavaScript
+title: JavaScript Client Overview
+weight: 5
+---
+
+[sigstore-js](https://github.com/sigstore/sigstore-js) is a collection of [javascript libraries](#additional-packages) for interacting with Sigstore.
+
+The main package,[`sigstore`](https://www.npmjs.com/package/sigstore), is a JavaScript library for generating and verifying Sigstore signatures. One of the intended uses is to sign and verify npm packages but it can be used to sign and verify any file.
+
+Full project documentation can be found in the [sigstore-js](https://github.com/sigstore/sigstore-js#sigstore-js---) project README and in each [package README](https://github.com/sigstore/sigstore-js/tree/main/packages).
+
+## Features
+
+- Support for signing using an OpenID Connect identity
+- Support for publishing signatures to a [Rekor](../../logging/overview/) instance
+- Support for verifying Sigstore bundles
+
+## Installation
+
+[`sigstore`](https://www.npmjs.com/package/sigstore) requires Node.js version >= 18.17.0.
+
+To install `sigstore` run the following command:
+
+```console
+npm install sigstore
+```
+
+## Example
+
+ To use `sigstore`, import the following into your project using the following:
+
+ ```console
+ const { sign, verify } = require('sigstore');
+ ```
+
+ ```console
+ import { sign, verify } from 'sigstore';
+ ```
+
+### Signing example
+
+ ```console
+ const bundle = await sign(Buffer.from('hello world'));
+```
+
+ There are a number of optional arguments that can be used with the sign function. Additional information is available in the [project repository](https://github.com/sigstore/sigstore-js/tree/main/packages/client#signpayload-options).
+
+ The sign function will return a JSON-encoded Sigstore bundle which includes the signature and the necessary verification material.
+
+### Verifying example
+
+The following function will verify the previously signed message:
+
+```console
+verify(bundle, Buffer.from('hello world'), { certificateIssuer: 'https://token.actions.githubusercontent.com/' });
+```
+
+More information on optional arguments can be found in the [project documentation](https://github.com/sigstore/sigstore-js/tree/main/packages/client#verifybundle-payload-options)
+
+## Additional Packages
+
+The [sigstore-js](https://github.com/sigstore/sigstore-js) project includes additional functionality through its scoped packages.
+
+- [`@sigstore/bundle`](https://www.npmjs.com/package/@sigstore/bundle) - TypeScript types and utility functions for working with Sigstore bundles.
+- [`@sigstore/cli`](https://www.npmjs.com/package/@sigstore/cli) - Command line interface for signing/verifying artifacts with Sigstore.
+- [`@sigstore/sign`](https://www.npmjs.com/package/@sigstore/sign) - Library for generating Sigstore signatures.
+- [`@sigstore/tuf`](https://www.npmjs.com/package/@sigstore/tuf) - Library for interacting with the Sigstore TUF repository.
+- [`@sigstore/rekor-types`](https://www.npmjs.com/package/@sigstore/rekor-types) - TypeScript types for the Sigstore Rekor REST API.
+- [`@sigstore/mock`](https://www.npmjs.com/package/@sigstore/mock) - Mocking library for Sigstore services.
diff --git a/content/en/language_clients/language_client_overview.md b/content/en/language_clients/language_client_overview.md
@@ -9,11 +9,11 @@ Sigstore uses [cosign](../../cosign/signing/overview) to sign and verify package
 
 Sigstore has clients for the following language ecosystems:
 
+- [Go](../go/overview)
+- [Java](../java/overview)
+- [JavaScript](../javascript/overview)
 - [Python](../python/overview)
-- [Rust](https://github.com/sigstore/sigstore-rs#features)
+- [Rust](../rust/overview)
 - [Ruby](https://github.com/sigstore/sigstore-ruby#sigstore)
-- [JavaScript](https://github.com/sigstore/sigstore-js#sigstore-js---)
-- [Java](../java/overview)
-- [Go](https://github.com/sigstore/sigstore-go#sigstore-go)
 
 Language client documentation is hosted in the individual project repositories. Project summaries are currently being added to the main Sigstore documentation.
diff --git a/content/en/language_clients/rust/_index.html b/content/en/language_clients/rust/_index.html
@@ -0,0 +1,11 @@
+---
+type: docs
+title: "Rust"
+description: "Rust Language Client"
+lead: "Rust Language Client"
+date: 2024-10-06T08:49:15+00:00
+lastmod: 2024-10-06T08:49:15+00:00
+draft: false
+images: []
+weight: 80
+---
diff --git a/content/en/language_clients/rust/overview.md b/content/en/language_clients/rust/overview.md
@@ -0,0 +1,35 @@
+---
+type: docs
+category: Rust
+title: Rust Client Overview
+weight: 5
+---
+
+[`sigstore`](https://crates.io/crates/sigstore) is a crate designed to interact with Sigstore architecture.
+
+**This crate is under active development, and will not be considered stable until the [1.0 release](https://github.com/sigstore/sigstore-rs/issues/274).**
+
+## Features
+
+- Container and binary signing and verification
+- Fulcio integration including an OpenID Connect API
+- All Rekor client APIs can be leveraged to interact with the transparency log
+- Cryptographic key management
+
+## Installation
+
+Run the following command in your project directory:
+
+```console
+cargo add sigstore
+```
+
+Or add the following to your Cargo.toml:
+
+`sigstore = "0.10.0"`
+
+Current release information is available [here](https://github.com/sigstore/sigstore-rs/releases).
+
+## Example
+
+Numerous examples are provided in the [project repository](https://github.com/sigstore/sigstore-rs/tree/main/examples), including a [simple signing example](https://github.com/sigstore/sigstore-rs/tree/main/examples/cosign/sign) and a number of examples interacting with the [Rekor transparency log](https://github.com/sigstore/sigstore-rs/tree/main/examples/rekor).