Skip to content

haydentherapper/sigstore

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

436 Commits

.github

.github

 
 

hack/tools

hack/tools

 
 

pkg

pkg

 
 

test

test

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.golangci.yml

.golangci.yml

 
 

CODEOWNERS

CODEOWNERS

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

COPYRIGHT.txt

COPYRIGHT.txt

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

Repository files navigation

sigstore framework

Fuzzing Status CII Best Practices

sigstore/sigstore is a generic library / framework that is utilized by various other clients and projects including fulcio (webPKI), cosign (container and OCI signing tool) and tektoncd/chains (Supply Chain Security in Tekton Pipelines).

sigstore is a good candidate for anyone wanting to develop go based clients / systems and utilise existing go modules for common sigstore functionality.

This library currently provides:

  • A signing interface (support for ecdsa, ed25519, rsa, DSSE (in-toto))
  • OpenID Connect fulcio client code

The following KMS systems are available:

  • AWS Key Management Service
  • Azure Key Vault
  • HashiCorp Vault
  • Google Cloud Platform Key Management Service

For example code, look at the relevant test code for each main code file.

Fuzzing

The fuzzing tests are within https://github.com/sigstore/sigstore/tree/main/test/fuzz

Security

Should you discover any security issues, please refer to sigstores security process

For container signing, you want cosign

About

Common go library shared across sigstore services and clients

sigstore.dev

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • Go 98.8%
  • Other 1.2%