sigstore-go-archived icon indicating copy to clipboard operation
sigstore-go-archived copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Metadata

Go library for Sigstore signing and verification

sigstore-go-archived

:warning: This project is archived and will no longer receive updates, we have a new project to replace, please refer to https://github.com/sigstore/sigstore-go

This is a Go client library for Sigstore.

The project is under early development and you shouldn't depend on it yet. In the long run, you should depend on sigstore-go instead of cosign or sigstore/sigstore if you need a Sigstore Go client library, but don't need support for OCI registries/containers. Use cosign if you need OCI support, or if you're looking for a CLI signing/verification tool.

Sigstore Library Landscape

This section describes the desired end state after sigstore-go is complete, not the current state.

These are the dependency relationships for library projects under the Sigstore organization ("s/s" is sigstore/sigstore; darker-background libraries are shared across language ecosystems).

graph LR
  cosign --> sigstore-go
  sigstore-go --> rekor
  sigstore-go --> fulcio
  sigstore-go --> s/s
  rekor --> s/s
  fulcio --> s/s
  rekor --> protobuf-specs
  fulcio --> protobuf-specs
  clients --> rekor
  clients --> fulcio
  sigstore-go --> protobuf-specs
  clients("sigstore-{ruby,js,java,python,rs}") --> protobuf-specs
  
  classDef shared fill:#bbf;
  class rekor,fulcio,protobuf-specs shared;

See Sigstore in Golang for design rationale; you may need to join [email protected] for access. We have:

  • Infrastructure
    • fulcio: The CA for Sigstore. Contains the Fulcio server implementation along with a basic generated client library.
    • rekor: The artifact log for Sigstore. Contains the Rekor server implementation along with a basic generated client library.
    • protobuf-specs: Definitions for common Sigstore data formats.
  • Golang
    • sigstore/sigstore: Common code, used in both the infrastructure and clients.
    • sigstore-go: a Golang client library for Sigstore.
    • cosign: A library for using Sigstore to sign container images in OCI registries (along with a CLI). This is a relatively thin wrapper around sigstore-go.
  • Other language clients.

Security

Should you discover any security issues, please refer to Sigstore's security process.

Metadata

16
Stars
10
Forks
Watchers

Owner

verified publisher icon sigstore

Metadata

Go library for Sigstore signing and verification

Back