Documentation
¶
Overview ¶
Package sigstore provides Sigstore-based signing for evidence packs.
This package implements the sign.Signer interface using Sigstore infrastructure:
- Fulcio for certificate issuance (keyless/OIDC signing)
- Rekor for transparency log entries
- Optional TSA for RFC3161 timestamps
For keyless (OIDC) signing:
signer, err := sigstore.NewSigner(ctx, sigstore.Options{
OIDC: &sigstore.OIDCOptions{Interactive: true},
})
For key-based signing:
signer, err := sigstore.NewSigner(ctx, sigstore.Options{
PrivateKey: privateKey,
})
Index ¶
Constants ¶
View Source
const ( // DefaultFulcioURL is the public Sigstore Fulcio instance. DefaultFulcioURL = "https://fulcio.sigstore.dev" // DefaultRekorURL is the public Sigstore Rekor instance. DefaultRekorURL = "https://rekor.sigstore.dev" // SigstoreOIDCIssuer is the default OIDC issuer for Sigstore public good. SigstoreOIDCIssuer = "https://oauth2.sigstore.dev/auth" // SigstoreClientID is the client ID for the Sigstore public good instance. SigstoreClientID = "sigstore" )
Variables ¶
This section is empty.
Functions ¶
func MarshalBundle ¶
MarshalBundle serializes a bundle to JSON.
Types ¶
type OIDCOptions ¶
type OIDCOptions struct {
// Token is the OIDC token. If empty and Interactive is false,
// uses ambient credentials (e.g., ACTIONS_ID_TOKEN_REQUEST_TOKEN in GitHub Actions).
Token string
// Interactive enables browser-based OIDC authentication.
// When true and Token is empty, opens a browser for authentication.
Interactive bool
}
OIDCOptions configures keyless OIDC-based signing.
type Options ¶
type Options struct {
// OIDC configures keyless signing via OpenID Connect.
// Mutually exclusive with PrivateKey.
OIDC *OIDCOptions
// PrivateKey enables key-based signing.
// Mutually exclusive with OIDC.
PrivateKey crypto.Signer
// FulcioURL is the Fulcio certificate authority URL.
// If empty, uses the public Sigstore instance.
// Custom URLs require InsecureAllowCustomEndpoints to be set.
FulcioURL string
// RekorURL is the Rekor transparency log URL.
// If empty, uses the public Sigstore instance.
// Custom URLs require InsecureAllowCustomEndpoints to be set.
RekorURL string
// TSAURLs are optional timestamp authority URLs for RFC3161 timestamps.
// Custom URLs require InsecureAllowCustomEndpoints to be set.
TSAURLs []string
// SkipTlog skips publishing to the transparency log (Rekor).
// When true, signatures are not recorded in the public log.
// This provides privacy but loses non-repudiation and public auditability.
// Consider using TSAURLs for timestamping when skipping tlog.
SkipTlog bool
// InsecureAllowCustomEndpoints permits non-default Fulcio/Rekor/TSA URLs.
// With OIDC signing, the token is sent to FulcioURL; a malicious endpoint
// could capture it and impersonate your identity. Only use with trusted
// private instances or for testing.
// CLI: --insecure-allow-custom-endpoints
InsecureAllowCustomEndpoints bool
}
Options configures how signing is performed.
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer implements sign.Signer using Sigstore infrastructure.
func NewSigner ¶
NewSigner creates a new Sigstore-based signer.
For keyless (OIDC) signing, provide OIDCOptions with a token. For key-based signing, provide a PrivateKey.
Source Files
Click to show internal directories.
Click to hide internal directories.