sigstore

package

v0.4.5 Latest Latest Go to latest Published: Apr 17, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/carabiner-dev/signer

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type CaCertMatcher
type Instance
type InstanceConfig
type OIDCConfig
- func (oc *OIDCConfig) Validate() error
type SigstoreRoots
- func ParseRoots(data []byte) (*SigstoreRoots, error)
- func ParseRootsFile(path string) (*SigstoreRoots, error)
type VerifierConfig
- func (vc *VerifierConfig) Validate() error

Constants ¶

This section is empty.

Variables ¶

View Source

var DefaultRoots []byte

Functions ¶

This section is empty.

Types ¶

type CaCertMatcher ¶

type CaCertMatcher func()

type Instance ¶ added in v0.3.2

type Instance struct {
	// Embed the tuf options struct
	tuf.TufOptions

	// SigningConfig holds the official sigstore signing configuration
	// (application/vnd.dev.sigstore.signingconfig.v0.2+json).
	SigningConfig *root.SigningConfig `json:"-"`

	Timestamp bool

	// AppendToRekor controls if the signing operation is recorded into the
	// transparency log.
	AppendToRekor bool `json:"rekor-append"`
	DisableSTS    bool

	// Hide the OIDC options in the CLI --help
	HideOIDCOptions bool
	// FlagPrefix adds a prefix to the CLI strings, these help grouping them
	FlagPrefix string

	// OIDCConfig holds the client-side OIDC configuration.
	OIDCConfig OIDCConfig `json:"oidc-config"`

	// VerifierConfig holds the verification policy options.
	VerifierConfig VerifierConfig `json:"verifier-config"`
}

Instance captures the configuration required to talk to a sigstore instance.

func (*Instance) FulcioURL ¶ added in v0.3.2

func (i *Instance) FulcioURL() string

FulcioURL returns the Fulcio CA URL from the signing config.

func (*Instance) OidcIssuerURL ¶ added in v0.4.0

func (i *Instance) OidcIssuerURL() string

OidcIssuerURL returns the OIDC issuer URL from the signing config.

func (*Instance) RekorURL ¶ added in v0.3.2

func (i *Instance) RekorURL() string

RekorURL returns the Rekor transparency log URL from the signing config.

func (*Instance) ValidateOIDC ¶ added in v0.3.2

func (i *Instance) ValidateOIDC() error

ValidateOIDC checks that the OIDC properties are correct

func (*Instance) ValidateSigner ¶ added in v0.3.2

func (i *Instance) ValidateSigner() error

func (*Instance) ValidateSigningConfig ¶ added in v0.4.0

func (i *Instance) ValidateSigningConfig() error

ValidateSigningConfig checks that the instance has a valid signing config.

func (*Instance) ValidateTimestamps ¶ added in v0.3.2

func (i *Instance) ValidateTimestamps() error

ValidateTimestamps checks that at least one timestamp verification method is set.

func (*Instance) ValidateVerifier ¶ added in v0.3.2

func (i *Instance) ValidateVerifier() error

type InstanceConfig ¶

type InstanceConfig struct {
	ID               string          `json:"id"`
	IssuerOrg        string          `json:"issuer-org"`
	SigningConfigRaw json.RawMessage `json:"signing-config"`
	Instance
}

type OIDCConfig ¶ added in v0.4.0

type OIDCConfig struct {
	// RedirectURL defines the URL that the browser will redirect to.
	// If the port is set to 0, it will be randomized to a high number
	// port before starting the OIDC flow.
	RedirectURL string `json:"redirect-url"`

	// ClientID is the OIDC client ID to stamp on the tokens.
	ClientID string `json:"client-id"`

	// ClientSecret is the OIDC client secret.
	ClientSecret string `json:"client-secret"`
}

OIDCConfig captures the client-side OIDC configuration for a sigstore instance.

func (*OIDCConfig) Validate ¶ added in v0.4.0

func (oc *OIDCConfig) Validate() error

Validate checks that the required OIDC client fields are set.

type SigstoreRoots ¶

type SigstoreRoots struct {
	Roots []InstanceConfig `json:"roots"`
}

func ParseRoots ¶

func ParseRoots(data []byte) (*SigstoreRoots, error)

ParseRoots parses a roots file

func ParseRootsFile ¶

func ParseRootsFile(path string) (*SigstoreRoots, error)

ParseRootsFile parses a sigstore roots file

type VerifierConfig ¶ added in v0.4.0

type VerifierConfig struct {
	// Look for a signed timestamp in the cert and verify with the CTLog Auth
	RequireCTlog bool `json:"require-ct-log"`
	// Verify the cert validity in the transparency log
	RequireTlog bool `json:"require-tlog"`
	// Verify the certificate validity time with a signed timestamp
	RequireSignedTimestamps bool `json:"require-signed-timestamps"`
	// Require an observer timestamp for verification
	RequireObserverTimestamp bool `json:"require-observer-timestamp"`
}

VerifierConfig captures the verification policy for a sigstore instance.

func (*VerifierConfig) Validate ¶ added in v0.4.0

func (vc *VerifierConfig) Validate() error

Validate checks that at least one timestamp verification method is set.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL