A client library for Sigstore, written in Go.

Features:

• Signing and verification of Sigstore bundles compliant with Sigstore Client Spec
• Verification of raw Sigstore signatures by creating bundles for them (see conformance tests for example)
• Signing and verifying with a Timestamp Authority (TSA)
• Signing and verifying with Rekor (Artifact Transparency Log)
• Structured verification results including certificate metadata
• TUF support for fetching trusted root certificates and log keys
• Verification support for custom trusted root
• Examples for signing and verifying artifacts

There is not built-in support for signing with a KMS or other bring-your-own-key; however you can easily add support by implementing your own version of the interface pkg/sign/keys.go:Keypair.

Sigstore already has a canonical Go client implementation, cosign, which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. sigstore-go is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in sigstore/protobuf-specs. sigstore-go attempts to minimize the dependency tree for simple signing and verification tasks, omitting KMS support and container image verification, and we intend to refactor parts of cosign to depend on sigstore-go.

sigstore-go is considered stable and ready for production use. It passes the sigstore-conformance signing and verification test suite.

Documentation is found in the docs subdirectory and on pkg.go.dev.

See the examples directory for examples of how to use this library.

Note that the CLI examples are to demonstrate how to use the library, and not intended as a fully-featured Sigstore CLI like cosign.

Tested with:

• Unix-compatible OS and Windows
• Go 1.23+

Note that we do not provide built versions of this library, but you can see what architectures your version of go supports with go tool dist list.

Tests are invoked using the standard Go testing framework. A helper exists in the Makefile also.

$ make test

Bug reports are welcome via issues and questions are welcome via discussion. Please refer to SUPPORT.md for details. This project is provided as-is.

Should you discover any security issues, please refer to sigstore's security process