README
¶
Carabiner Signer Library
Easy digital signing library with support for sigstore and (upcoming) support for simpler signing with key pairs.
package main
import (
"fmt"
"os"
"github.com/carabiner-dev/signer"
)
func main() {
// Create a signer:
s := signer.NewSigner()
// Sign a string as a sigstore bundle.
//
// This call triggers the sigstore flow if ambient
// credentials are not available.
bundle, err := s.SignMessage([]byte("My signed data"))
if err != nil {
fmt.Fprintln(os.Stderr, err.Error())
os.Exit(1)
}
// Output the bundle to STDOUT
if err := s.WriteBundle(bundle, os.Stdout); err != nil {
fmt.Fprintln(os.Stderr, err.Error())
os.Exit(1)
}
}
Status
The library has simple signing function to sign and verify attestations and arbitrary data into sigstore bundles. The current functionality is considered stable but the library is still under active feature development.
Upcoming Features
Some of the features we are working on that will soon show up in this module include:
- Support for signing with supplied plain key pairs.
- DSSE (non bundle) output
- Keypair providers
- Certificate/identity cache (gitsign credential cache style).
Code Examples
We have two simple examples that demonstrate how to sign and verify an in-toto attestation and how to sign and verify a random data message.
Copyright
This library is made with <3 and Copyright by Carabiner Systems, Inc and released under the Apache-2.0 license. Feel free to send patches and open issues or just tell us if you are using it. We love feedback on all our projects.
Documentation
¶
Index ¶
- Constants
- type Signer
- type Verifier
- func (v *Verifier) VerifyBundle(bundlePath string, fnOpts ...options.VerifierOptFunc) (*verify.VerificationResult, error)
- func (v *Verifier) VerifyInlineBundle(bundleContents []byte, fnOpts ...options.VerifierOptFunc) (*verify.VerificationResult, error)
- func (v *Verifier) VerifyParsedBundle(bndl *sbundle.Bundle, fnOpts ...options.VerifierOptFunc) (*verify.VerificationResult, error)
Constants ¶
const GitHubTimeStamperURL = "https://timestamp.githubapp.com/api/v1/timestamp"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Signer ¶
func (*Signer) SignMessage ¶
SignMessage signs a payload as a message digest and returns a sigstore bundle.
func (*Signer) SignStatement ¶
SignStatement signs an in-toto attestation using the configured options and returns a sigstore bundle. The signing process will try to obtain the signer identity in this order:
- Try the configured ambient credentials providers (currently only the GitHub actions plugin is supported).
- If a terminal is detected, it will start the sigstore oidc flow in a browser.
- If no terminal is detected, it will start the sigstore device flow.
type Verifier ¶
func NewVerifier ¶
func NewVerifier() *Verifier
func (*Verifier) VerifyBundle ¶
func (v *Verifier) VerifyBundle(bundlePath string, fnOpts ...options.VerifierOptFunc) (*verify.VerificationResult, error)
VerifyBundle verifies a signed bundle containing a dsse envelope
func (*Verifier) VerifyInlineBundle ¶
func (v *Verifier) VerifyInlineBundle(bundleContents []byte, fnOpts ...options.VerifierOptFunc) (*verify.VerificationResult, error)
VerifyBundle verifies a signed bundle containing a dsse envelope
func (*Verifier) VerifyParsedBundle ¶
func (v *Verifier) VerifyParsedBundle(bndl *sbundle.Bundle, fnOpts ...options.VerifierOptFunc) (*verify.VerificationResult, error)
VerifyParsedBundle verifies a sigstore bundle with the provided options
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
_examples
|
|
|
attestation
command
|
|
|
message
command
|
|
|
bundlefakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
internal
|
|
|
sts/providers/github
Package github implements a client to requesta short lived token from github actions.
|
Package github implements a client to requesta short lived token from github actions. |