sigstore-java

A sigstore java client for interacting with sigstore infrastructure

⚠️ This project is not ready for general-purpose use! ⚠️

This project requires a minimum of Java 11 and is current in pre-release, apis and dependencies are likely to change

You can files issues directly on this project or if you have any questions message us on the sigstore#java slack channel

Usage

Keyless Signing And Verification

Signing

Path testArtifact = Paths.get("path/to/my/file.jar")

var signer = KeylessSigner.builder().sigstorePublicDefaults().build();
var result = signer.sign(testArtifact);

// resulting signature information

// sigstore bundle format (serialized as <artifact>.sigstore.json)
String bundle = BundleFactory.createBundle(result)

// artifact digest
byte[] digest = result.getDigest();

// certificate from fulcio
CertPath certs = result.getCertPath() // java representation of a certificate path
byte[] certsBytes = Certificates.toPemBytes(result.getCertPath()) // converted to PEM encoded byte array

// artifact signature
byte[] sig = result.getSignature()

Verification

KeylessSignature from bundle

var bundleFile = // java.nio.Path to a .sigstore.json signature bundle file
var keylessSignature = BundleFactory.readBundle(Files.newBufferedReader(bundleFile, StandardCharsets.UTF_8));

KeylessSignature from certificate and signature

byte[] digest = // byte array sha256 artifact digest
byte[] certificateChain = // byte array of PEM encoded cert chain
byte[] signature = // byte array of artifact signature
var keylessSignature = 
    KeylessSignature.builder()
        .signature(signature)
        .certPath(Certificates.fromPemChain(certPath))
        .digest(digest)
        .build();

Configure verification options

var verificationOptions = 
    VerificationOptions.builder()
        // add certificate policy to verify the identity of the signer
        .addCertificateIdentities(
            CertificateIdentity.builder()
                .issuer("https://accounts.example.com"))
                .subjectAlternativeName("test@example.com")
                .build())
        .build();

Do verification

var artifact = // java.nio.Path to artifact file
try {
  var verifier = new KeylessVerifier.Builder().sigstorePublicDefaults().build();
  verifier.verify(
      artifact,
      KeylessVerificationRequest.builder()
          .keylessSignature(keylessSignature)
          .verificationOptions(verificationOptions)
          .build());
  // verification passed!
} catch (KeylessVerificationException e) {
  // verification failed
}

Exploring the API

You could browse Javadoc at https://javadoc.io/doc/dev.sigstore/sigstore-java.

To build javadoc from the sources, use the following command:

$ ./gradlew javadoc
$ "my-favorite-browser" ./sigstore-java/build/docs/javadoc/index.html

Name		Name	Last commit message	Last commit date
Latest commit History 1,025 Commits
.github/workflows		.github/workflows
.idea		.idea
build-logic-commons		build-logic-commons
build-logic		build-logic
config		config
fuzzing		fuzzing
gradle/wrapper		gradle/wrapper
sandbox		sandbox
scripts		scripts
sigstore-cli		sigstore-cli
sigstore-gradle		sigstore-gradle
sigstore-java		sigstore-java
sigstore-testkit		sigstore-testkit
.editorconfig		.editorconfig
.gitattributes		.gitattributes
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
DEVELOPMENT.md		DEVELOPMENT.md
LICENSE		LICENSE
README.md		README.md
RELEASING.md		RELEASING.md
build.gradle.kts		build.gradle.kts
gradle.properties		gradle.properties
gradlew		gradlew
gradlew.bat		gradlew.bat
renovate.json		renovate.json
settings.gradle.kts		settings.gradle.kts

License

sigstore/sigstore-java

Folders and files

Latest commit

History

Repository files navigation

sigstore-java

Usage

Keyless Signing And Verification

Signing

Verification

KeylessSignature from bundle

KeylessSignature from certificate and signature

Configure verification options

Do verification

Exploring the API

About

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Languages