sign

package module
v0.11.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 21, 2026 License: MIT Imports: 0 Imported by: 0

README

axon-sign

Pure-Go cryptographic signing library: Ed25519 keypairs, SSHSIG format, key rotation, and provenance.

Import: github.com/benaskins/axon-sign

What it does

axon-sign provides cryptographic signing primitives for the lamina workspace. No shell-outs to ssh-keygen or gpg; everything is pure Go with a single dependency on golang.org/x/crypto.

Packages

Package Purpose
keys Ed25519 keypair generation, PEM/OpenSSH serialization, AES-256-GCM encryption (Argon2id KDF)
keystore Key storage interface with filesystem backend, supports rotation history
sign Raw signing/verification, batch signing, manifests with embedded public keys
sshsig SSHSIG format for Git commit signing (OpenSSH 8.0+ compatible)
rotation Key rotation workflow preserving old keys for historical verification
provenance PROVENANCE.md generation for release artifacts

Usage

Generate and store a keypair
import (
    "github.com/benaskins/axon-sign/keys"
    "github.com/benaskins/axon-sign/keystore"
)

pub, priv, _ := keys.GenerateKeyPair()
encrypted, _ := keys.EncryptPrivateKey(priv, passphrase)

ks, _ := keystore.NewFSKeystore(dir)
ks.StoreKey("agent-1", pub, encrypted)
Sign and verify
import "github.com/benaskins/axon-sign/sign"

sig, _ := sign.Sign(data, priv)
ok, _ := sign.Verify(data, sig, pub)
Batch sign with manifest
manifest, _ := sign.BatchSign(paths, priv, pub)
sign.WriteManifest(manifest, "MANIFEST.json")
Git commit signing (SSHSIG)
import "github.com/benaskins/axon-sign/sshsig"

sigPEM, _ := sshsig.SignCommit(commitContent, priv)
ok, _ := sshsig.VerifyCommit(commitContent, sigPEM, pub)
Key rotation
import "github.com/benaskins/axon-sign/rotation"

newPub, _ := rotation.RotateKey(ks, "agent-1", passphrase)
// Old key preserved; VerifyWithRotation checks all keys

Dependencies

  • golang.org/x/crypto (Argon2id, SSH wire format)

Build & Test

go test ./...
go vet ./...

Documentation

Overview

Package sign provides SSH-based cryptographic signing and verification for Go.

Subpackages: keys, keystore, sshsig, rotation, provenance.

Class: primitive UseWhen: Signing build artifacts, ADR bundles, git commits. Verification of signed content.

Package sign provides SSH-based cryptographic signing and verification for Go.

Source Files

View all Source files

Directories

Path Synopsis
Package keys provides Ed25519 keypair generation and public key serialization.
 Package keys provides Ed25519 keypair generation and public key serialization.
Package keystore provides storage and retrieval of named Ed25519 signing keys.
 Package keystore provides storage and retrieval of named Ed25519 signing keys.
Package rotation provides key rotation for named Ed25519 signing keys.
 Package rotation provides key rotation for named Ed25519 signing keys.
Package sign provides raw Ed25519 signing and verification with detached signature files.
 Package sign provides raw Ed25519 signing and verification with detached signature files.
Package sshsig implements the OpenSSH SSHSIG wire format for Git commit signing.
 Package sshsig implements the OpenSSH SSHSIG wire format for Git commit signing.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.