{"id":17128864,"url":"https://github.com/andrewpmartinez/cosign","last_synced_at":"2025-03-24T04:21:53.210Z","repository":{"id":237688304,"uuid":"795050570","full_name":"andrewpmartinez/cosign","owner":"andrewpmartinez","description":"A library enabling multiple signers on a JWT in a backwards compatible way.","archived":false,"fork":false,"pushed_at":"2024-05-24T19:22:50.000Z","size":371,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-05T16:51:39.349Z","etag":null,"topics":["golang","jwt","jwt-validation"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andrewpmartinez.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-02T13:40:22.000Z","updated_at":"2025-01-13T12:37:37.000Z","dependencies_parsed_at":"2024-05-03T01:07:41.958Z","dependency_job_id":"dff2c256-7a66-47e1-bcb1-12f98732feb4","html_url":"https://github.com/andrewpmartinez/cosign","commit_stats":null,"previous_names":["andrewpmartinez/cosign"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewpmartinez%2Fcosign","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewpmartinez%2Fcosign/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewpmartinez%2Fcosign/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewpmartinez%2Fcosign/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andrewpmartinez","download_url":"https://codeload.github.com/andrewpmartinez/cosign/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245207283,"owners_count":20577654,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","jwt","jwt-validation"],"created_at":"2024-10-14T19:08:16.078Z","updated_at":"2025-03-24T04:21:53.186Z","avatar_url":"https://github.com/andrewpmartinez.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# COSIGN\n![cosign-25.png](images/cosign-25.png)\n\nA go-lang library that allows multiple signers of a single JWT. Done in a way\nthat maintains backward compatibility with standard single signer verification.\n\n## Usage\n\nTake any existing JWT, parse it, and add one or more additional signers.\n\n```go\njwtString := \"ey...====\"\ntoken, err := cosign.parse(jwtString\ndoubleSignedToken, err := token.AddSigner(\"kid1234\", secondSignerPrivateKey, jwt.SigningMethodES256)\ndoubleSignedTokenString := doubleSignedToken.Token()\nfmt.Printf(\"The cosigned token: %s\", doubleSignedTokenString)\n```\n\nThe \"signing method\" must match the private key usage (RS256 for SHA245 + RSA, ES256 for SHA256+P256, etc.).\n\nVerification can be performed in a variety of ways. The last signer can always be verified using standard JWT \nverification. The cosigners can be verified by first parsing the JWT with `cosign.Parse(token)` and then using\none of the verify functions:\n\n- `Verify(pubKeyProvider)` - Verify the current token is signed by a known public key.\n- `VerifyOne(pubKeyProvider)` - Verify that the token was signed by at least one known public key.\n- `VerifyAll(pubKeyProvider)` - Verify that the toke was signed by only known public keys.\n\n```go\ntoken, err := cosign.Parse(doubleSignedTokenString)\npubKeyProvider := cosign.MapPubKeyProvider{\n\t\"kid1234\": \u0026secondSignerPrivateKey.PublicKey\n}\nresult := token.VerifyOne(pubKeyProvider)\n\nif result.Error {\n\tfmt.Printf(\"Error: %s\\n\", result.Error)\n} else {\n\tfmt.Printf(\"Is Valid: %b\\n\", result.IsValid)\n}\n```\n\nEach single cosigned token is logically multiple individual tokens signed with different private keys. Cosign \"unpacks\" these JWTs during parsing.\nThe logical tokens can be accessed via: `token.Previous()` or `token.Tokens()`. \n\nWhen using `token.VerifyOne()` or `token.VerifyAll()` the referenced token and all previous tokens are verified, but any tokens higher up, are not.\nFor example, if an arbitrary token named `myToken` was signed three times, using `cosign.Parse(myToken)` will return a single `Token` instance that\nhas references to two other token instances. \n\n```go\ntopToken, _ := cosign.Parse(myToken)\nmiddleToken := topToken.Previous()\nbottomToken := middleToken.Previous()\nthisWillBeNil := bottomToken.Previous()\n```\nIf `middleToken.VerifyOne()` is run, it will verify against `middleToken` and `bottomToken`; as verification is down through the token, not up.\n\n\n# Why?\n\nI worked on a project where I needed to be able to have older clients verify a JWT from a single signer, but\nnewer clients could verify from any number of signers. Issuing multiple JWTs was too much to handle, and\nnesting JWTs inside each other caused the JWT size to grow too large for my use case. For the initial\napplication, the claims were identical, no matter how many signers there were. Cosign requires that the claim\nset not change between signers. Said another way, all cosigners sign the same claims.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandrewpmartinez%2Fcosign","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandrewpmartinez%2Fcosign","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandrewpmartinez%2Fcosign/lists"}