sigstore

package

v0.3.2 Latest Latest Go to latest Published: Oct 17, 2025 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/carabiner-dev/signer

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type CaCertMatcher
type Instance
type InstanceConfig
type SigstoreRoots
- func ParseRoots(data []byte) (*SigstoreRoots, error)
- func ParseRootsFile(path string) (*SigstoreRoots, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var DefaultRoots []byte

Functions ¶

This section is empty.

Types ¶

type CaCertMatcher ¶

type CaCertMatcher func()

type Instance ¶ added in v0.3.2

type Instance struct {
	// Embed the tuf options struct
	tuf.TufOptions

	Timestamp bool

	// AppendToRekor controls if the signing operation is recorded into the
	// transparency log.
	AppendToRekor bool `json:"rekor-append"`
	DisableSTS    bool

	// FulcioURL url of the Fulcio CA (defaults to the public good instance)
	FulcioURL string `json:"fulcio-url"`

	// RekorURL url of the Rekor transparency log (defaults to the public good instance)
	RekorURL string `json:"rekor-url"`

	// Hide the OIDC options in the CLI --help
	HideOIDCOptions bool
	// FlagPrefix adds a prefix to the CLI strings, these help grouping them
	FlagPrefix string

	// OidcRedirectURL defines the URL that the browser will redirect to.
	// if the port is set to 0, bind will randomize it to a high number
	// port before starting the OIDC flow.
	OidcRedirectURL string `json:"oidc-redirect-url"`

	// OIDC token issuer endpoint
	OidcIssuer string `json:"oidc-issuer"`

	// Client ID to stamp on the tokens
	OidcClientID string `json:"oidc-client-id"`

	// Client secret to pass in OIDC calls
	OidcClientSecret string `json:"oidc-client-secret"`

	// Look for a signed timestamp in the cert and verify with the CTLog Auth
	RequireCTlog bool `json:"require-ct-log"`
	// Verify the cert validity in the transparency log
	RequireTlog bool `json:"require-tlog"`
	// Verify the certificate validity time with a signed timestamp
	RequireSignedTimestamps bool `json:"require-signed-timestamps"`
	// Allow no timestamp, for keys instead of certs
	RequireObserverTimestamp bool `json:"require-observer-timestamp"`
}

Instance captures the configuration required to talk to a sigstore instance.

func (*Instance) ValidateOIDC ¶ added in v0.3.2

func (i *Instance) ValidateOIDC() error

ValidateOIDC checks that the OIDC properties are correct

func (*Instance) ValidateSigner ¶ added in v0.3.2

func (i *Instance) ValidateSigner() error

func (*Instance) ValidateTimestamps ¶ added in v0.3.2

func (i *Instance) ValidateTimestamps() error

ValidateTimestamps

func (*Instance) ValidateVerifier ¶ added in v0.3.2

func (i *Instance) ValidateVerifier() error

type InstanceConfig ¶

type InstanceConfig struct {
	ID        string `json:"id"`
	IssuerOrg string `json:"issuer-org"`
	Instance
}

type SigstoreRoots ¶

type SigstoreRoots struct {
	Roots []InstanceConfig `json:"roots"`
}

func ParseRoots ¶

func ParseRoots(data []byte) (*SigstoreRoots, error)

ParseRoots parses a roots file

func ParseRootsFile ¶

func ParseRootsFile(path string) (*SigstoreRoots, error)

ParseRootsFile parses a sigstore roots file

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL