-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding information on sigstore-go (#345)
* initial Go commit. Signed-off-by: hayleycd <[email protected]> * Initial Go entry Signed-off-by: hayleycd <[email protected]> * Clarified cosign vs sigstore-go. Signed-off-by: hayleycd <[email protected]> * Addressing linter comments. Signed-off-by: hayleycd <[email protected]> --------- Signed-off-by: hayleycd <[email protected]>
- Loading branch information
Showing
3 changed files
with
87 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| --- | ||
| type: docs | ||
| title: "Go" | ||
| description: "Go Language Client" | ||
| lead: "Go Language Client" | ||
| date: 2024-10-06T08:49:15+00:00 | ||
| lastmod: 2024-10-06T08:49:15+00:00 | ||
| draft: false | ||
| images: [] | ||
| weight: 60 | ||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| --- | ||
| type: docs | ||
| category: Go | ||
| title: Go Client Overview | ||
| weight: 5 | ||
| --- | ||
|
|
||
| [`sigstore-go`](https://pkg.go.dev/github.com/sigstore/sigstore-go) is the Go language client library for Sigstore. | ||
|
|
||
| `sigstore-go` is intended as a minimal dependency library for signing and verifying. It's not intended to replace [cosign](../../cosign/signing/overview.md), which provides a CLI with many features for interacting with Sigstore. Over time, `cosign` will use `sigstore-go` for verification. | ||
|
|
||
| - Friendly API for integrating Go code with Sigstore | ||
| - Smaller dependency tree | ||
| - Focuses on newly specified data structures in [sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs) | ||
| - Perfect for simple signing and verififcation tasks | ||
|
|
||
| `sigstore-go` is currently in beta. | ||
|
|
||
| ## Features | ||
|
|
||
| - Signing and verification of [Sigstore bundles](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) | ||
| - Verification of raw Sigstore signatures | ||
| - Signing and verifying with a Timestamp Authority (TSA) | ||
| - Online and offline signing and verifying with Rekor (Artifact Transparency Log) | ||
| - Structured verification results including certificate metadata | ||
| - TUF support | ||
| - Verification support for custom [trusted root](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto) | ||
| - Basic CLI | ||
|
|
||
| ## Installation | ||
|
|
||
| ### Main CLI installation | ||
|
|
||
| `sigstore-go` requires Go 1.21 or greater. The package is tested with Go 1.23. | ||
|
|
||
| To compile/install the CLI, clone [`sigstore-go`](https://github.com/sigstore/sigstore-go) and run. | ||
|
|
||
| ```console | ||
| make install | ||
| ``` | ||
|
|
||
| Alternatively, you can use `go run cmd/sigstore-go/main.go` to access the CLI, as show in the [example](#cli-example). | ||
|
|
||
| ## Example | ||
|
|
||
| ### CLI example | ||
|
|
||
| The following is an example of using the sigstore-go CLI to verify a signature. | ||
|
|
||
| ```console | ||
| go run cmd/sigstore-go/main.go \ | ||
| -artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \ | ||
| -artifact-digest-algorithm sha512 \ | ||
| -expectedIssuer https://token.actions.githubusercontent.com \ | ||
| -expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \ | ||
| examples/bundle-provenance.json | ||
| Verification successful! | ||
| { | ||
| "version": 20230823, | ||
| "statement": { | ||
| "_type": "https://in-toto.io/Statement/v0.1", | ||
| "predicateType": "https://slsa.dev/provenance/v0.2", | ||
| "subject": ... | ||
| }, | ||
| ... | ||
| } | ||
| ``` | ||
|
|
||
| ### Additional examples | ||
|
|
||
| Additional examples are available in the [project documentation](https://github.com/sigstore/sigstore-go#sigstore-go). | ||
|
|
||
| - [Signing example](https://github.com/sigstore/sigstore-go/blob/main/docs/signing.md#examples) | ||
| - [Verifying example](https://github.com/sigstore/sigstore-go/blob/main/docs/verification.md#verification-using-sigstore-go) | ||
| - [OCI image verifying example](https://github.com/sigstore/sigstore-go/blob/main/docs/oci-image-verification.md#example-of-oci-image-verification-using-sigstore-go) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters