README
¶
sigstore framework
sigstore/sigstore is a generic library / framework that is utilized by various other clients and projects including fulcio (webPKI), cosign (container and OCI signing tool) and tektoncd/chains (Supply Chain Security in Tekton Pipelines).
sigstore is a good candidate for anyone wanting to develop go based clients / systems and utilise existing go modules for common sigstore functionality.
This library currently provides:
- A signing interface (support for ecdsa, ed25519, rsa, DSSE (in-toto))
- OpenID Connect fulcio client code
The following KMS systems are available:
- AWS Key Management Service
- Azure Key Vault
- HashiCorp Vault
- Google Cloud Platform Key Management Service
For example code, look at the relevant test code for each main code file.
Fuzzing
The fuzzing tests are within https://github.com/sigstore/sigstore/tree/main/test/fuzz
Security
Should you discover any security issues, please refer to sigstores security process
For container signing, you want cosign
Directories
¶
| Path | Synopsis |
|---|---|
|
pkg
|
|
|
cryptoutils
Package cryptoutils implements support for working with encoded certificates, public keys, and private keys
|
Package cryptoutils implements support for working with encoded certificates, public keys, and private keys |
|
fulcioroots
Package fulcioroots assists with extracting trust root information for Fulcio
|
Package fulcioroots assists with extracting trust root information for Fulcio |
|
oauth
Package oauth contains types and utilities related to OAuth2.
|
Package oauth contains types and utilities related to OAuth2. |
|
oauth/internal
Package internal contains utilities for parsing OAuth2 tokens
|
Package internal contains utilities for parsing OAuth2 tokens |
|
oauth/oidc
Package oidc contains utilities related to OIDC tokens.
|
Package oidc contains utilities related to OIDC tokens. |
|
oauthflow
Package oauthflow implements OAuth/OIDC support for device and token flows
|
Package oauthflow implements OAuth/OIDC support for device and token flows |
|
signature
Package signature contains types and utilities related to Sigstore signatures.
|
Package signature contains types and utilities related to Sigstore signatures. |
|
signature/dsse
Package dsse includes wrappers to support DSSE
|
Package dsse includes wrappers to support DSSE |
|
signature/kms
Package kms contains utilities related to third-party KMS providers.
|
Package kms contains utilities related to third-party KMS providers. |
|
signature/kms/aws
Package aws implement the interface with amazon aws kms service
|
Package aws implement the interface with amazon aws kms service |
|
signature/kms/azure
Package azure implement the interface with microsoft azure kms service
|
Package azure implement the interface with microsoft azure kms service |
|
signature/kms/fake
Package fake contains utilities to help test KMS providers.
|
Package fake contains utilities to help test KMS providers. |
|
signature/kms/gcp
Package gcp implement the interface with google cloud kms service
|
Package gcp implement the interface with google cloud kms service |
|
signature/kms/hashivault
Package hashivault implement the interface with hashivault kms service
|
Package hashivault implement the interface with hashivault kms service |
|
signature/options
Package options defines options for KMS clients
|
Package options defines options for KMS clients |
|
signature/payload
Package payload contains types and utilities related to the Cosign signature format.
|
Package payload contains types and utilities related to the Cosign signature format. |
|
signature/ssh
Package ssh implements signing with SSH keys
|
Package ssh implements signing with SSH keys |
|
test
|
|
|
fuzz
Module
|
Click to show internal directories.
Click to hide internal directories.