{"id":42184407,"url":"https://github.com/prefix-dev/sigstore-rust","last_synced_at":"2026-02-06T19:04:03.578Z","repository":{"id":326386681,"uuid":"1100575911","full_name":"prefix-dev/sigstore-rust","owner":"prefix-dev","description":"Sigstore implemented in Rust for Github v0.3 bundles","archived":false,"fork":false,"pushed_at":"2026-02-04T16:18:05.000Z","size":797,"stargazers_count":4,"open_issues_count":7,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-02-04T23:52:35.588Z","etag":null,"topics":["cosign","oci","package-management","sigstore"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/prefix-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-20T13:19:10.000Z","updated_at":"2026-02-04T16:17:00.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/prefix-dev/sigstore-rust","commit_stats":null,"previous_names":["wolfv/sigstore-rust","prefix-dev/sigstore-rust"],"tags_count":104,"template":false,"template_full_name":null,"purl":"pkg:github/prefix-dev/sigstore-rust","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prefix-dev%2Fsigstore-rust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prefix-dev%2Fsigstore-rust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prefix-dev%2Fsigstore-rust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prefix-dev%2Fsigstore-rust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/prefix-dev","download_url":"https://codeload.github.com/prefix-dev/sigstore-rust/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prefix-dev%2Fsigstore-rust/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29172751,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T16:33:35.550Z","status":"ssl_error","status_checked_at":"2026-02-06T16:33:30.716Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cosign","oci","package-management","sigstore"],"created_at":"2026-01-26T22:20:10.301Z","updated_at":"2026-02-06T19:04:03.533Z","avatar_url":"https://github.com/prefix-dev.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sigstore-rust\n\nA Rust implementation of [Sigstore](https://sigstore.dev) for signing and verifying software artifacts.\n\n## Overview\n\nThis workspace provides a modular Rust implementation of the Sigstore ecosystem, enabling keyless code signing and verification. Sigstore eliminates the need for long-lived signing keys by binding signatures to OpenID Connect identities and recording them in an immutable transparency log.\n\n## Crates\n\n| Crate | Description |\n|-------|-------------|\n| [`sigstore-sign`](crates/sigstore-sign) | High-level signing API |\n| [`sigstore-verify`](crates/sigstore-verify) | High-level verification API |\n| [`sigstore-bundle`](crates/sigstore-bundle) | Sigstore bundle format handling |\n| [`sigstore-types`](crates/sigstore-types) | Core types and data structures |\n| [`sigstore-crypto`](crates/sigstore-crypto) | Cryptographic primitives |\n| [`sigstore-merkle`](crates/sigstore-merkle) | RFC 6962 Merkle tree verification |\n| [`sigstore-rekor`](crates/sigstore-rekor) | Rekor transparency log client |\n| [`sigstore-fulcio`](crates/sigstore-fulcio) | Fulcio certificate authority client |\n| [`sigstore-oidc`](crates/sigstore-oidc) | OpenID Connect authentication |\n| [`sigstore-tsa`](crates/sigstore-tsa) | RFC 3161 timestamp authority client |\n| [`sigstore-trust-root`](crates/sigstore-trust-root) | Trusted root management |\n\n## Installation\n\nAdd the crates you need to your `Cargo.toml`:\n\n```toml\n[dependencies]\n# For verification only\nsigstore-verify = \"0.1\"\nsigstore-trust-root = \"0.1\"\n\n# For signing\nsigstore-sign = \"0.1\"\n```\n\n## Usage\n\n### Verifying a Signature\n\n```rust\nuse sigstore_verify::{Verifier, VerificationPolicy};\nuse sigstore_trust_root::TrustedRoot;\n\n// Load the trusted root (contains Fulcio CA, Rekor keys, etc.)\nlet root = TrustedRoot::production()?;\nlet verifier = Verifier::new(\u0026root);\n\n// Parse the bundle (contains signature, certificate, transparency log entry)\nlet bundle: sigstore_types::Bundle = serde_json::from_str(\u0026bundle_json)?;\n\n// Verify the signature\nverifier.verify(\u0026bundle, artifact_bytes)?;\n\n// Or verify with identity policy\nlet policy = VerificationPolicy::new()\n    .issuer(\"https://token.actions.githubusercontent.com\")\n    .subject_regex(r\"^https://github\\.com/myorg/.*$\")?;\n\nverifier.verify_with_policy(\u0026bundle, artifact_bytes, \u0026policy)?;\n```\n\n### Signing an Artifact\n\n```rust\nuse sigstore_sign::{Signer, SigningConfig};\n\n// Create a signer (will authenticate via OIDC)\nlet config = SigningConfig::production();\nlet signer = Signer::new(config).await?;\n\n// Sign the artifact - returns a Sigstore bundle\nlet bundle = signer.sign(artifact_bytes).await?;\n\n// Save the bundle\nlet bundle_json = serde_json::to_string_pretty(\u0026bundle)?;\n```\n\n## Examples\n\n### Verify a Bundle from GitHub\n\nYou can verify Sigstore bundles from GitHub releases:\n\n```sh\n# 1. Download a release artifact and its Sigstore bundle\ncurl -LO https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign_checksums.txt\ncurl -LO https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign_checksums.txt.sigstore.json\n\n# 2. Verify the bundle (cryptographic verification without identity policy)\ncargo run -p sigstore-verify --example verify_bundle -- \\\n    cosign_checksums.txt cosign_checksums.txt.sigstore.json\n\n# 3. Or verify with identity policy (this release was signed with Google's keyless signer)\ncargo run -p sigstore-verify --example verify_bundle -- \\\n    --identity \"keyless@projectsigstore.iam.gserviceaccount.com\" \\\n    --issuer \"https://accounts.google.com\" \\\n    cosign_checksums.txt cosign_checksums.txt.sigstore.json\n```\n\n### Verify an artifact locally\n\n```bash\n# Sign the README.md file\ncargo run -p sigstore-sign --example sign_blob -- README.md -o README.md.sigstore.json\n\n# Verify with our tool\ncargo run -p sigstore-verify --example verify_bundle -- README.md README.md.sigstore.json\n\n# You can also verify with cosign\ncosign verify-blob --bundle README.md.sigstore.json \\\n    --certificate-identity w.vollprecht@gmail.com \\\n    --certificate-oidc-issuer https://github.com/login/oauth \\\n    README.md\n```\n\n## Architecture\n\n```text\n┌─────────────────────────────────────────────────────────────────┐\n│                    Application Layer                            │\n├────────────────────────┬────────────────────────────────────────┤\n│     sigstore-sign      │           sigstore-verify              │\n├────────────────────────┴────────────────────────────────────────┤\n│                      sigstore-bundle                            │\n├─────────────┬─────────────┬─────────────┬───────────────────────┤\n│sigstore-oidc│sigstore-    │sigstore-    │  sigstore-trust-root  │\n│             │fulcio       │rekor        │                       │\n├─────────────┴──┬──────────┴────────┬────┴───────────────────────┤\n│  sigstore-tsa  │  sigstore-merkle  │  sigstore-crypto           │\n├────────────────┴─────────────────-─┴────────────────────────────┤\n│                      sigstore-types                             │\n└─────────────────────────────────────────────────────────────────┘\n```\n\n## How Sigstore Works\n\n1. **Keyless Signing**: Instead of managing long-lived keys, signers authenticate with an OIDC provider (GitHub, Google, etc.)\n2. **Short-lived Certificates**: Fulcio issues a certificate valid for ~10 minutes, binding the OIDC identity to an ephemeral key\n3. **Transparency Log**: The signature is recorded in Rekor, providing a tamper-evident audit trail\n4. **Verification**: Verifiers check the certificate chain, signature, and transparency log entry against the trusted root\n\n## Features\n\n- Full Sigstore bundle support (v0.1, v0.2, v0.3 formats)\n- Keyless signing with OIDC authentication\n- Certificate chain validation against Fulcio CA\n- Transparency log verification (checkpoints, inclusion proofs, SETs)\n- RFC 3161 timestamp support\n- Identity-based verification policies\n- Ambient credential detection for CI/CD environments\n\n## Cryptography\n\nThis library uses [aws-lc-rs](https://github.com/aws/aws-lc-rs) as its cryptographic backend. AWS-LC is a general-purpose cryptographic library maintained by AWS, based on code from BoringSSL. It provides:\n\n- ECDSA (P-256, P-384) signature verification and signing\n- Ed25519 signature support\n- SHA-256/SHA-384/SHA-512 hashing\n- X.509 certificate parsing and validation\n\nAWS-LC is [FIPS 140-3 validated](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816), making this library suitable for environments with compliance requirements.\n\n## Minimum Supported Rust Version\n\nRust 1.70 or later.\n\n## License\n\nBSD-3-Clause\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprefix-dev%2Fsigstore-rust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprefix-dev%2Fsigstore-rust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprefix-dev%2Fsigstore-rust/lists"}