sigstore-java icon indicating copy to clipboard operation
sigstore-java copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Metadata

java clients for sigstore

Maven Central javadoc CI

sigstore-java

A sigstore java client for interacting with sigstore infrastructure

⚠️ This project is not ready for general-purpose use! ⚠️

This project requires a minimum of Java 11 and is current in pre-release, apis and dependencies are likely to change

You can files issues directly on this project or if you have any questions message us on the sigstore#java slack channel

Usage

Keyless Signing And Verification

Signing

Path testArtifact = Paths.get("path/to/my/file.jar")

var signer = KeylessSigner.builder().sigstorePublicDefaults().build();
var result = signer.sign(testArtifact);

// resulting signature information

// sigstore bundle format (serialized as <artifact>.sigstore.json)
String bundle = BundleFactory.createBundle(result)

// artifact digest
byte[] digest = result.getDigest();

// certificate from fulcio
CertPath certs = result.getCertPath() // java representation of a certificate path
byte[] certsBytes = Certificates.toPemBytes(result.getCertPath()) // converted to PEM encoded byte array

// artifact signature
byte[] sig = result.getSignature()

Verification

KeylessSignature from bundle
var bundleFile = // java.nio.Path to a .sigstore.json signature bundle file
var keylessSignature = BundleFactory.readBundle(Files.newBufferedReader(bundleFile, StandardCharsets.UTF_8));
KeylessSignature from certificate and signature
byte[] digest = // byte array sha256 artifact digest
byte[] certificateChain = // byte array of PEM encoded cert chain
byte[] signature = // byte array of artifact signature
var keylessSignature = 
    KeylessSignature.builder()
        .signature(signature)
        .certPath(Certificates.fromPemChain(certPath))
        .digest(digest)
        .build();
Configure verification options
var verificationOptions = 
    VerificationOptions.builder()
        // add certificate policy to verify the identity of the signer
        .addCertificateIdentities(
            CertificateIdentity.builder()
                .issuer("https://accounts.example.com"))
                .subjectAlternativeName("[email protected]")
                .build())
        .build();
Do verification
var artifact = // java.nio.Path to artifact file
try {
  var verifier = new KeylessVerifier.Builder().sigstorePublicDefaults().build();
  verifier.verify(
      artifact,
      KeylessVerificationRequest.builder()
          .keylessSignature(keylessSignature)
          .verificationOptions(verificationOptions)
          .build());
  // verification passed!
} catch (KeylessVerificationException e) {
  // verification failed
}

Exploring the API

You could browse Javadoc at https://javadoc.io/doc/dev.sigstore/sigstore-java.

To build javadoc from the sources, use the following command:

$ ./gradlew javadoc
$ "my-favorite-browser" ./sigstore-java/build/docs/javadoc/index.html

Metadata

32
Stars
18
Forks
Watchers

Owner

verified publisher icon sigstore

Metadata

java clients for sigstore

Back