signature

type Identity interface {
	// Certificate gets the identity's certificate.
	Certificate() (*x509.Certificate, error)
	// CertificateChain attempts to get the identity's full certificate chain.
	CertificateChain() ([]*x509.Certificate, error)
	// Signer gets a crypto.Signer that uses the identity's private key.
	Signer() (crypto.Signer, error)
	// Delete deletes this identity from the system.
	Delete() error
	// Close any manually managed memory held by the Identity.
	Close()
}

type SignOptions struct {
	// Make a detached signature
	Detached bool
	// URL of RFC3161 timestamp authority to use for timestamping
	TimestampAuthority string
	// Create ascii armored output
	Armor bool
	// IncludeCerts specifies what certs to include in the resulting signature.
	// -3 is the same as -2, but omits issuer when cert has Authority Information Access extension.
	// -2 includes all certs except root.
	// -1 includes all certs.
	// 0 includes no certs.
	// 1 includes leaf cert.
	// >1 includes n from the leaf.
	IncludeCerts int

	// UserName specifies the email to match against. If present, signing
	// will fail if the Fulcio identity SAN URI does not match the git committer name.
	UserName string

	// UserEmail specifies the email to match against. If present, signing
	// will fail if the Fulcio identity SAN email does not match the git committer email.
	UserEmail string

	// Rekor client - if specified, Rekor details are embedded directly in the
	// signature output.
	Rekor rekor.Writer
}

type SignResponse struct {
	Signature []byte
	Cert      *x509.Certificate
	// LogEntry is the Rekor tlog entry from the signing operation.
	// This is only populated if offline signing mode was used (e.g. SignOpts.Rekor was passed in)
	LogEntry *models.LogEntryAnon
}