cosign

func SignBlobWithKey ¶

func SignBlobWithKey(ctx context.Context, payload []byte, req *signv1.SignWithKey) (*signv1.Signature, *signv1.PublicKey, error)

SignBlobWithKey signs a blob using a private key. Supports both inline PEM content and key references (file paths, URLs, KMS URIs).

func SignBlobWithOIDC ¶

func SignBlobWithOIDC(ctx context.Context, payload []byte, req *signv1.SignWithOIDC) (*signv1.Signature, *signv1.PublicKey, error)

SignBlobWithOIDC signs a blob using OIDC authentication.

func VerifyWithKeys ¶

func VerifyWithKeys(ctx context.Context, payload []byte, pubKeys []string, signature *signv1.Signature) (*signv1.SignerInfo, error)

VerifyWithKeys verifies signatures against public keys using cosign. It iterates through all combinations of public keys and signatures to find a valid match. Public keys can be either PEM content or key references (file paths, URLs, KMS URIs).

Returns true with metadata if any signature verifies with any public key. Returns false with nil error if no valid combination is found or if no signatures/public keys are provided.

func VerifyWithOIDC ¶

func VerifyWithOIDC(payload []byte, req *signv1.VerifyWithOIDC, signature *signv1.Signature) (*signv1.SignerInfo, error)

VerifySignatureWithOIDC verifies a Sigstore bundle using OIDC identity. This performs full Sigstore verification including: - Certificate chain validation against Fulcio root - Transparency log verification (Rekor) - Timestamp verification - OIDC issuer and identity matching.