{"id":15326524,"url":"https://github.com/hboutemy/sigstore-java-poc","last_synced_at":"2025-04-15T02:52:40.800Z","repository":{"id":44326175,"uuid":"489052678","full_name":"hboutemy/sigstore-java-poc","owner":"hboutemy","description":"Java PoC code to implement sigstore operations equivalent to \"cosign sign-blob\"","archived":false,"fork":false,"pushed_at":"2023-06-02T15:40:13.000Z","size":94,"stargazers_count":4,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-15T02:52:35.968Z","etag":null,"topics":["fulcio","java","rekor","sigstore"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hboutemy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-05T16:43:42.000Z","updated_at":"2024-05-30T18:52:55.000Z","dependencies_parsed_at":"2024-10-15T22:51:11.658Z","dependency_job_id":null,"html_url":"https://github.com/hboutemy/sigstore-java-poc","commit_stats":{"total_commits":26,"total_committers":1,"mean_commits":26.0,"dds":0.0,"last_synced_commit":"f7100ecf9b454affceb35f15a384198a03543aba"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hboutemy%2Fsigstore-java-poc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hboutemy%2Fsigstore-java-poc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hboutemy%2Fsigstore-java-poc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hboutemy%2Fsigstore-java-poc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hboutemy","download_url":"https://codeload.github.com/hboutemy/sigstore-java-poc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248997087,"owners_count":21195797,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fulcio","java","rekor","sigstore"],"created_at":"2024-10-01T09:36:06.902Z","updated_at":"2025-04-15T02:52:40.783Z","avatar_url":"https://github.com/hboutemy.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"sigstore Java PoC\n=======\n\nSimple Java PoC code (extracted from [sigstore-maven-plugin PoC](https://github.com/sigstore/sigstore-maven-plugin/pull/85))\nto implement sigstore operations equivalent to [`cosign sign-blob` in keyless mode](https://docs.sigstore.dev/cosign/working_with_blobs/#signing-blobs-as-files),\nthen be able to test it in any situation.\n\n## Build\n\nRequire Java 8\n\n```\nmvn package\n```\n\n## Run\n\n### Basic Executable Jar\n\n```\njava -jar target/sigstore*.jar [optional file to sign: defaults to pom.xml]\n```\n\nwill display:\n\n```\nCrypto generating keypair using EC with secp256r1 parameters\nCrypto signing file content pom.xml\nSigstore Starting sigstore steps to record the signature\nOidcClient \u003e\u003e getting OIDC token from https://oauth2.sigstore.dev/auth/token with auth https://oauth2.sigstore.dev/auth/auth\nPlease open the following address in your browser:\n  https://oauth2.sigstore.dev/auth/auth?client_id=sigstore\u0026code_challenge=OJYmpeku1AddJbLf_St5RosjBnSkbcKPFtrI-hdDVS0\u0026code_challenge_method=S256\u0026redirect_uri=http://localhost:43997/Callback\u0026response_type=code\u0026scope=openid%20email\n```\n\nyou need to authenticate using your browser, then the sigstore work will finish:\n\n```\nOidcClient \u003c\u003c received token for email herve.boutemy@gmail.com\nCrypto signing email address 'herve.boutemy@gmail.com' as proof of possession of private key\nFulcioClient \u003e\u003e requesting signing certificate from https://fulcio.sigstore.dev/api/v1/signingCert\nFulcioClient \u003c\u003c parsing signing certificate\nRekorClient \u003e\u003e submitting to rekor https://rekor.sigstore.dev with payload {\"apiVersion\":\"0.0.1\",\"kind\":\"hashedrekord\",\"spec\":{\"data\":{\"hash\":{\"value\":\"a3a7e29372082134a6dc2b3eb59d7a2fa6466b328e849530d75d01f181d0645f\",\"algorithm\":\"sha256\"}},\"signature\":{\"publicKey\":{\"content\":\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNGVENDQVpxZ0F3SUJBZ0lUQ2laMS9FUVA4ODRsZnluTHpUanJTNFZoZHpBS0JnZ3Foa2pPUFFRREF6QXEKTVJVd0V3WURWUVFLRXd4emFXZHpkRzl5WlM1a1pYWXhFVEFQQmdOVkJBTVRDSE5wWjNOMGIzSmxNQjRYRFRJeQpNRFV5TlRFMk1EUXhOVm9YRFRJeU1EVXlOVEUyTVRReE5Gb3dBREJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5CkF3RUhBMElBQlAvVVE0NmlnYTYwQlNzT2FEcUlSVmNRTUh3YVlwNzlrSkQwNDgweU9vUmo2T0c1OTNPYVFldlkKaDZ6YTJkZExjaDM4NjBNVWVBcHBBTUQvYTdmblIvQ2pnY2d3Z2NVd0RnWURWUjBQQVFIL0JBUURBZ2VBTUJNRwpBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TURNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZPcnBYclN0Ck9zMlFJRkMwOHlNcUVQSlUwL1g0TUI4R0ExVWRJd1FZTUJhQUZGakFIbCtSUmFWbXFYck1rS0dUSXRBcXhjWDYKTUNVR0ExVWRFUUVCL3dRYk1CbUJGMmhsY25abExtSnZkWFJsYlhsQVoyMWhhV3d1WTI5dE1Da0dDaXNHQVFRQgpnNzh3QVFFRUcyaDBkSEJ6T2k4dllXTmpiM1Z1ZEhNdVoyOXZaMnhsTG1OdmJUQUtCZ2dxaGtqT1BRUURBd05wCkFEQm1BakVBM29JMTN5bW1yUW9od1Y1MlM2R1hhWk1HVFhLeDZSdUpBYkpIQ3AycDh3VzZ0MzlYNjN1UkNlaUwKTjkybWMrWkhBakVBdXhoU3AzcjFLVVVRRHhJK2Fsd0dac3RGeWI5REhnQnBXRGhjTjJETWRVKzhHeithbFBnQQpBNjQ5bU9IOVZuLysKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==\"},\"content\":\"MEUCIDxs/kuUecXPFYBNaQ/g06sRXJpj0WLzgOmV/QMApnPYAiEAtmIw7gQiv8J5XLtOW4ITOuRB6srhWJoWWQ2wBGjU/2c=\"}}}RekorClient \u003c\u003c Created hashedrekord entry in transparency log @ 'https://rekor.sigstore.dev/api/v1/log/entries/19242336d73a5a435caecd68470fba38ed2438f56ac5bd6b818f0f23757714c1'\n```\n\n### Running against a directory\n\nIf you point to a directory instead of a file, the key pair will be used to sign every file found recursively and each signature will be recorded in sigstore:\n\n```\n❯ java -jar target/sigstore-poc-0.1.0-SNAPSHOT.jar src\nCrypto generating keypair using EC with secp256r1 parameters\nsigning 7 files\nsigned 26832 bytes, created 7 .sig signature files for 672 bytes = 96 bytes per sig\nRecording signatures to sigstore...\npress ENTER to get Fulcio certificate:\nOidcClient \u003e\u003e getting OIDC token from https://oauth2.sigstore.dev/auth/token with auth https://oauth2.sigstore.dev/auth/auth\nPlease open the following address in your browser:\n  https://oauth2.sigstore.dev/auth/auth?client_id=sigstore\u0026code_challenge=WcMI_quzd2icY9soD41y_JuzBAvplWmWcX3ED_kOuXU\u0026code_challenge_method=S256\u0026redirect_uri=http://localhost:56851/Callback\u0026response_type=code\u0026scope=openid%20email\nAttempting to open that address in the default browser now...\nOidcClient \u003c\u003c received token for email herve.boutemy@gmail.com\nCrypto signing email address 'herve.boutemy@gmail.com' as proof of possession of private key\nFulcioClient \u003e\u003e requesting signing certificate from https://fulcio.sigstore.dev/api/v1/signingCert\nFulcioClient \u003c\u003c parsing signing certificate\nCrypto writing signing certificate to /Users/hboutemy/dev/workspace/sigstore-poc/src/signing-certificate.pem\npress ENTER to get 7 Rekor entries for previous signatures:\nRekorClient \u003e\u003e submitting to rekor https://rekor.sigstore.dev with payload {\"apiVersion\":\"0.0.1\",\"kind\":\"hashedrekord\",\"spec\":{\"data\":{\"hash\":{\"value\":\"ca882bac39e1ae2399285495105626538a227a41073620c4653e1fe24ec03435\",\"algorithm\":\"sha256\"}},\"signature\":{\"publicKey\":{\"content\":\"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFOEZIb0VrOE5WSWVSNmMvTE1lS3JvcE4zeWs0WQpVcTZzMjUydEdKTmEzUDJKWUw2L2RXQ1U4bDB0YkVrK3lVb00ycVVIRGYzS21kVzVrTWFFY256TU13PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t\"},\"content\":\"MEQCIGN/z6q/ErSW4+VgB1uRd5r2/cThm0eqW/4HM1pqUUD6AiBQCJ83loT4h7GmNOLWLgQQzDvQVags+/24mb/phD3rMQ==\"}}}\nRekorClient \u003c\u003c Created hashedrekord entry in transparency log @ 'https://rekor.sigstore.dev/api/v1/log/entries/d24599fd16dd287a6dd2e7897a40df506956d4b62b42b84591f3e109acf2da30'\n[...]\ncreated 7 rekor entries, saved in .rekor files for 13567 bytes = 1938 bytes per rekor entry\n```\n\n### JShell Interactive Discovery\n\nYou may also load the jar with `jshell` to do interactive test of either a basic file signature or more step by step usage for every sigstore piece:\n\n```\n$ jshell --class-path target/sigstore-poc-0.1.0-SNAPSHOT.jar \n|  Welcome to JShell -- Version 11.0.7\n|  For an introduction type: /help intro\n\njshell\u003e import dev.sigstore.poc.*\n\njshell\u003e var sigstore = new Sigstore()\nsigstore ==\u003e dev.sigstore.poc.Sigstore@4b952a2d\n\njshell\u003e sigstore.sign(new File(\"pom.xml\"))\nCrypto generating keypair using EC with secp256r1 parameters\nCrypto signing file content pom.xml\nSigstore Starting sigstore steps to record the signature\n...\n\n\njshell\u003e var crypto = new Crypto()\ncrypto ==\u003e dev.sigstore.poc.Crypto@192d74fb\n\njshell\u003e var keypair = crypto.generateKeyPair()\nCrypto generating keypair using EC with secp256r1 parameters\nkeypair ==\u003e java.security.KeyPair@62ea3440\n\njshell\u003e var bin = Files.readAllBytes(new File(\"pom.xml\").toPath())\nbin ==\u003e byte[4326] { 60, 112, 114, 111, 106, 101, 99, 116 ... 1, 106, 101, 99, 116, 62 }\n\njshell\u003e var signature = crypto.signContent(bin, keypair.getPrivate())\nsignature ==\u003e \"MEQCIAHJNMt7JIiHkgiwWBdytp4eWlsSMZBDaL1Zdn6h463V ... fG6EZ6J7UqOz18lFGubd8CA==\"\n\njshell\u003e var certs = sigstore.getFulcioCert(keypair)\nOidcClient \u003e\u003e getting OIDC token from https://oauth2.sigstore.dev/auth/token with auth https://oauth2.sigstore.dev/auth/auth\nPlease open the following address in your browser:\n  https://oauth2.sigstore.dev/auth/auth?client_id=sigstore\u0026code_challenge=xqx3jeRsrmZf19OTkmwzvoT6M-1iJ3lUfLaLgoLpa_o\u0026code_challenge_method=S256\u0026redirect_uri=http://localhost:45427/Callback\u0026response_type=code\u0026scope=openid%20email\n...\n\njshell\u003e var rekor = new RekorClient()\nrekor ==\u003e dev.sigstore.poc.RekorClient@48c35007\n\njshell\u003e rekor.submitToRekor(bin, signature, certs.getCertificates().get(0))\nRekorClient \u003e\u003e submitting to rekor https://rekor.sigstore.dev with payload {\"apiVersion\":\"0.0.1\",\"kind\":\"hashedrekord\",\"spec\":{\"data\":{\"hash\":{\"value\":\"ca882bac39e1ae2399285495105626538a227a41073620c4653e1fe24ec03435\",\"algorithm\":\"sha256\"}},\"signature\":{\"publicKey\":{\"content\":\"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFOEZIb0VrOE5WSWVSNmMvTE1lS3JvcE4zeWs0WQpVcTZzMjUydEdKTmEzUDJKWUw2L2RXQ1U4bDB0YkVrK3lVb00ycVVIRGYzS21kVzVrTWFFY256TU13PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t\"},\"content\":\"MEQCIGN/z6q/ErSW4+VgB1uRd5r2/cThm0eqW/4HM1pqUUD6AiBQCJ83loT4h7GmNOLWLgQQzDvQVags+/24mb/phD3rMQ==\"}}}\nRekorClient \u003c\u003c Created hashedrekord entry in transparency log @ 'https://rekor.sigstore.dev/api/v1/log/entries/d24599fd16dd287a6dd2e7897a40df506956d4b62b42b84591f3e109acf2da30'\n$12 ==\u003e https://rekor.sigstore.dev/api/v1/log/entries/d24599fd16dd287a6dd2e7897a40df506956d4b62b42b84591f3e109acf2da30\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhboutemy%2Fsigstore-java-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhboutemy%2Fsigstore-java-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhboutemy%2Fsigstore-java-poc/lists"}