| Continuous integration | Docs | License | Crate version | Crate downloads |
|---|---|---|---|---|
 |
 |
 |
 |
 |
A crate to interact with sigstore.
This crate is under active development and will not be considered stable until the 1.0 release.
The crate implements the following verification mechanisms:
- Sign using a cosign key and store the signature in a registry
- Verify using a given key
- Verify bundle produced by transparency log (Rekor)
- Verify signature produced in keyless mode, using Fulcio Web-PKI
Signature annotations and certificate email can be provided at verification time.
For use with Fulcio ephemeral key signing, an OpenID connect API is available, along with a fulcio client implementation.
All rekor client APIs can be leveraged to interact with the transparency log.
Cryptographic key management with the following key interfaces:
- Generate a key pair
- Sign data
- Verify signature
- Export public / (encrypted) private key in PEM / DER format
- Import public / (encrypted) private key in PEM / DER format
- The crate does not handle verification of attestations yet.
The examples directory contains demo programs using the library.
Each example can be executed with the cargo run --example <name> command.
For example, openidconnect can be run with the following command:
cargo run --example openidconnectTo embedded this crate in WASM modules, build it using the wasm cargo feature:
cargo build --no-default-features --features wasm --target wasm32-unknown-unknownNOTE: The wasm32-wasi target architecture is not yet supported.
Contributions are welcome! Please see the contributing guidelines for more information.
Should you discover any security issues, please refer to sigstores security process