{"id":13644619,"url":"https://github.com/sigstore/gitsign","last_synced_at":"2026-01-28T21:01:01.252Z","repository":{"id":36967910,"uuid":"491573171","full_name":"sigstore/gitsign","owner":"sigstore","description":"Keyless Git signing using Sigstore","archived":false,"fork":false,"pushed_at":"2026-01-27T17:16:05.000Z","size":2493,"stargazers_count":1052,"open_issues_count":32,"forks_count":75,"subscribers_count":13,"default_branch":"main","last_synced_at":"2026-01-27T21:06:41.275Z","etag":null,"topics":["git","signing","sigstore"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sigstore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":"COPYRIGHT.txt","agents":null,"dco":null,"cla":null}},"created_at":"2022-05-12T15:38:22.000Z","updated_at":"2026-01-27T17:16:02.000Z","dependencies_parsed_at":"2023-02-19T06:16:21.027Z","dependency_job_id":"63ec0a61-9a86-45d0-b8d0-4ec7a7940c8d","html_url":"https://github.com/sigstore/gitsign","commit_stats":{"total_commits":444,"total_committers":25,"mean_commits":17.76,"dds":"0.36936936936936937","last_synced_commit":"51c08dc8317729f759d2f1885fb50003fccc4031"},"previous_names":[],"tags_count":27,"template":false,"template_full_name":"sigstore/sigstore-project-template","purl":"pkg:github/sigstore/gitsign","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fgitsign","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fgitsign/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fgitsign/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fgitsign/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sigstore","download_url":"https://codeload.github.com/sigstore/gitsign/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fgitsign/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28851838,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-28T15:15:36.453Z","status":"ssl_error","status_checked_at":"2026-01-28T15:15:13.020Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git","signing","sigstore"],"created_at":"2024-08-02T01:02:09.564Z","updated_at":"2026-01-28T21:01:01.215Z","avatar_url":"https://github.com/sigstore.png","language":"Go","funding_links":[],"categories":["git","Go"],"sub_categories":[],"readme":"# Gitsign\n\n[![CI](https://github.com/sigstore/gitsign/actions/workflows/ci.yaml/badge.svg)](https://github.com/sigstore/gitsign/actions/workflows/ci.yaml)\n[![E2E](https://github.com/sigstore/gitsign/actions/workflows/e2e.yaml/badge.svg)](https://github.com/sigstore/gitsign/actions/workflows/e2e.yaml)\n\n\u003cp align=\"center\"\u003e\n \u003cimg style=\"max-width: 100%;width: 300px;\" src=\"https://raw.githubusercontent.com/sigstore/community/main/artwork/gitsign/horizontal/color/sigstore_gitsign-horizontal-color.svg\" alt=\"Gitsign logo\"/\u003e\n\u003c/p\u003e\n\nKeyless Git signing with Sigstore!\n\nThis is heavily inspired by \u003chttps://github.com/github/smimesign\u003e, but uses\nkeyless Sigstore to sign Git commits with your own GitHub / OIDC identity.\n\n## Installation\n\nUsing Homebrew:\n\n```sh\nbrew install gitsign\n```\n\nUsing Go:\n\n```sh\ngo install github.com/sigstore/gitsign@latest\n```\n\n## Configuration\n\nSingle Repository:\n\n```sh\ncd /path/to/my/repository\ngit config --local gpg.x509.program gitsign # Use gitsign for signing\ngit config --local gpg.format x509 # gitsign expects x509 args\n\n# Warning: Setting this will make git commit/tag reliant on internet.\n# Alternatively, don't use these settings and add the -S flag instead.\ngit config --local commit.gpgsign true # Sign all commits\ngit config --local tag.gpgsign true # Sign all tags\n\n```\n\nAll respositories:\n\n```sh\ngit config --global gpg.x509.program gitsign # Use gitsign for signing\ngit config --global gpg.format x509 # gitsign expects x509 args\n\n\n# Warning: Setting this will make git commit/tag reliant on internet.\n# Alternatively, don't use these settings and add the -S flag instead.\ngit config --global commit.gpgsign true # Sign all commits\ngit config --global tag.gpgsign true # Sign all tags\n```\n\nTo learn more about these options, see\n[`git-config`](https://git-scm.com/docs/git-config#Documentation/git-config.txt).\n\n### File config\n\nGitsign can be configured with a standard\n[git-config](https://git-scm.com/docs/git-config) file. For example, to set the\nFulcio option for a single repo:\n\n```sh\n$ git config --local gitsign.fulcio https://fulcio.example.com\n```\n\nThe following config options are supported:\n\n| Option | Default | Description |\n| ------------------ | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| fulcio | https://fulcio.sigstore.dev | Address of Fulcio server |\n| logPath | | Path to log status output. Helpful for debugging when no TTY is available in the environment. |\n| clientID | sigstore | OIDC client ID for application |\n| issuer | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |\n| matchCommitter | false | If true, verify that the committer matches certificate user identity. See [docs/committer-verification.md](./docs/committer-verification.md) for more details. |\n| redirectURL | | OIDC Redirect URL |\n| rekor | https://rekor.sigstore.dev | Address of Rekor server |\n| connectorID | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:\u003cbr\u003e- `https://github.com/login/oauth`\u003cbr\u003e- `https://accounts.google.com`\u003cbr\u003e- `https://login.microsoftonline.com` |\n| tokenProvider | | Optional OIDC token provider to use to fetch tokens. If not set, any available providers are used. valid values are:\u003cbr\u003e- `interactive`\u003cbr\u003e- `spiffe`\u003cbr\u003e- `google-workload-identity`\u003cbr\u003e- `google-impersonation`\u003cbr\u003e- `github-actions`\u003cbr\u003e- `filesystem`\u003cbr\u003e- `buildkite-agent` |\n| timestampServerURL | | Address of timestamping authority. If set, a trusted timestamp will be included in the signature. |\n| timestampCertChain | | Path to PEM encoded certificate chain for RFC3161 Timestamp Authority verification. |\n| autoclose | true | If true, autoclose the browser window after `autocloseTimeout`. In order for autoclose to work you must also set `connectorID`. |\n| autocloseTimeout | 6 | If `autoclose` is true, this is how long to wait until the window is closed. |\n\n### Environment Variables\n\n| Environment Variable | Sigstore\u003cbr\u003ePrefix | Default | Description |\n| ---------------------------- | ------------------ | -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| GITSIGN_CREDENTIAL_CACHE | | | Optional path to [gitsign-credential-cache](cmd/gitsign-credential-cache/README.md) socket. |\n| GITSIGN_CONNECTOR_ID | ✅ | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:\u003cbr\u003e- `https://github.com/login/oauth`\u003cbr\u003e- `https://accounts.google.com`\u003cbr\u003e- `https://login.microsoftonline.com` |\n| GITSIGN_TOKEN_PROVIDER | ✅ | | Optional OIDC token provider to use to fetch tokens. If not set, any available providers are used. valid values are:\u003cbr\u003e- `interactive`\u003cbr\u003e- `spiffe`\u003cbr\u003e- `google-workload-identity`\u003cbr\u003e- `google-impersonation`\u003cbr\u003e- `github-actions`\u003cbr\u003e- `filesystem`\u003cbr\u003e- `buildkite-agent` |\n| GITSIGN_FULCIO_URL | ✅ | https://fulcio.sigstore.dev | Address of Fulcio server |\n| GITSIGN_LOG | ❌ | | Path to log status output. Helpful for debugging when no TTY is available in the environment. |\n| GITSIGN_OIDC_CLIENT_ID | ✅ | sigstore | OIDC client ID for application \n| GITSIGN_OIDC_CLIENT_SECRET_FILE | ✅ | | Path to the file containing the OIDC client secret for the application. | |\n| GITSIGN_OIDC_ISSUER | ✅ | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |\n| GITSIGN_OIDC_REDIRECT_URL | ✅ | | OIDC Redirect URL |\n| GITSIGN_REKOR_URL | ✅ | https://rekor.sigstore.dev | Address of Rekor server |\n| GITSIGN_TIMESTAMP_SERVER_URL | ✅ | | Address of timestamping authority. If set, a trusted timestamp will be included in the signature. |\n| GITSIGN_TIMESTAMP_CERT_CHAIN | ✅ | | Path to PEM encoded certificate chain for RFC3161 Timestamp Authority verification. |\n| GITSIGN_FULCIO_ROOT | ✅ | | Path to PEM encoded certificate for Fulcio CA (additional alias: SIGSTORE_ROOT_FILE) |\n| GITSIGN_REKOR_MODE | ❌ | online | Rekor storage mode to operate in. One of [online, offline] (default: online)\u003cbr\u003eonline - Commit SHAs are stored in Rekor, requiring online verification for all commit objects.\u003cbr\u003eoffline - Hashed commit content is stored in Rekor, with Rekor attributes necessary for offline verification being stored in the commit itself.\u003cbr\u003eNote: online verification will be deprecated in favor of offline in the future. |\n| GITSIGN_AUTOCLOSE | ❌ | true | If true, autoclose the browser window after `GITSIGN_AUTOCLOSE_TIME`. |\n| GITSIGN_AUTOCLOSE_TIMEOUT | ❌ | 6 | If `GITSIGN_AUTOCLOSE` is true, this is how long to wait until the window is closed. |\n\nFor environment variables that support `Sigstore Prefix`, the values may be\nprovided with either a `GITSIGN_` or `SIGSTORE_` prefix - e.g.\n`GITSIGN_CONNECTOR_ID` or `SIGSTORE_CONNECTOR_ID`. If both environment variables\nare set, `GITSIGN_` prefix takes priority.\n\n#### Other environment variables\n\n| Environment Variable | Description |\n| ------------------------- | ------------------------------------------------------------------------------- |\n| SIGSTORE_REKOR_PUBLIC_KEY | This specifies an out of band PEM-encoded public key to use for a custom Rekor. |\n\n## Usage\n\n### Signing Commits\n\nOnce configured, you can sign commits as usual with `git commit -S` (or\n`git config --global commit.gpgsign true` to enable signing for all commits).\n\n```sh\n$ git commit --allow-empty --message=\"Signed commit\"\nYour browser will now be opened to:\nhttps://oauth2.sigstore.dev/auth/auth?access_type=online\u0026client_id=sigstore\u0026...\n[main 040b9af] Signed commit\n```\n\nThis will redirect you through the Sigstore Keyless flow to authenticate and\nsign the commit.\n\n### Signing Tags\n\nOnce configured, you can sign commits as usual with `git tag -s` (or\n`git config --global tag.gpgsign true` to enable signing for all tags).\n\n```sh\n$ git tag v0.0.1\nYour browser will now be opened to:\nhttps://oauth2.sigstore.dev/auth/auth?access_type=online\u0026client_id=sigstore\u0026...\n```\n\nThis will redirect you through the Sigstore Keyless flow to authenticate and\nsign the tag.\n\n### Verifying commits\n\nCommits can be verified using `gitsign verify`:\n\n```sh\n$ gitsign verify --certificate-identity=billy@chainguard.dev --certificate-oidc-issuer=https://accounts.google.com HEAD\ntlog index: 16072348\ngitsign: Signature made using certificate ID 0xa6c178d9292f70eb5c4ad9e274ead0158e75e484 | CN=sigstore-intermediate,O=sigstore.dev\ngitsign: Good signature from [billy@chainguard.dev](https://accounts.google.com)\nValidated Git signature: true\nValidated Rekor entry: true\nValidated Certificate claims: true\n```\n\n`HEAD` may be replaced with any\n[Git revision](https://git-scm.com/docs/gitrevisions) (e.g. branch, tag, etc.).\n\n**NOTE**: `gitsign verify` is preferred over\n[`git verify-commit`](https://git-scm.com/docs/git-verify-commit) and\n[`git verify-tag`](https://git-scm.com/docs/git-verify-tag). The git commands do\nnot pass through any expected identity information to the signing tools, so they\nonly verify cryptographic integrity and that the data exists on Rekor, but not\n**who** put the data there.\n\nUsing these commands will still work, but a warning being displayed.\n\n```sh\n$ git verify-commit HEAD\ntlog index: 16072349\ngitsign: Signature made using certificate ID 0xa6c178d9292f70eb5c4ad9e274ead0158e75e484 | CN=sigstore-intermediate,O=sigstore.dev\ngitsign: Good signature from [billy@chainguard.dev](https://accounts.google.com)\nValidated Git signature: true\nValidated Rekor entry: true\nValidated Certificate claims: false\nWARNING: git verify-commit does not verify cert claims. Prefer using `gitsign verify` instead.\n```\n\n### Private Sigstore\n\nGitsign is compatible with other Sigstore tools cosign for running against other\nSigstore instances besides the default public instance. See\n[cosign documentation](https://docs.sigstore.dev/cosign/custom_components/) for\nhow to configure and use another instance.\n\n## FAQ\n\n### Is there any way to bypass the browser flow?\n\nA browser window is needed to get an OAuth token, since gitsign aims to not\nstore refresh tokens or other cryptographic material on disk, but there are some\nthings you can do to make this process a bit easier!\n\n1. Set the `connectorID` config option - This preselects the identity provider\n to use. Assuming you're already signed in, in most cases you'll bounce\n directly to the auth success screen! (and you can clean up the browser tabs\n later)\n2. Use the [Credential Cache](cmd/gitsign-credential-cache/README.md). This uses\n an in-memory credential cache over a file socket that allows you to persist\n keys and certificates for their full lifetime (meaning you only need to auth\n once every 10 minutes).\n\n### Why doesn't GitHub show commits as [verified](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)?\n\n\u003cimg src=\"./images/unverified.png\" width=\"400\" /\u003e\n\nGitHub doesn't recognize Gitsign signatures as verified at the moment:\n\n1. The sigstore CA root is not a part of\n [GitHub's trust root](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#smime-commit-signature-verification).\n2. Because Gitsign's ephemeral keys are only valid for a short time, using\n standard x509 verification would consider the certificate invalid after\n expiration. Verification needs to include validation via Rekor to verify the\n cert was valid at the time it was used.\n\nWe hope to work with GitHub to get these types of signatures recognized as\nverified in the future!\n\n## Debugging\n\n### Configuration\n\nIf `gitsign` is running with unexpected configs, you can validate the config\nvalues that are being ran by running `gitsign --version`:\n\n```sh\n$ gitsign --version\ngitsign version v0.5.2\nparsed config:\n{\n \"Fulcio\": \"https://fulcio.sigstore.dev\",\n \"FulcioRoot\": \"\",\n \"Rekor\": \"https://rekor.sigstore.dev\",\n \"ClientID\": \"sigstore\",\n \"RedirectURL\": \"\",\n \"Issuer\": \"https://oauth2.sigstore.dev/auth\",\n \"ConnectorID\": \"\",\n \"TimestampURL\": \"\",\n \"TimestampCert\": \"\",\n \"LogPath\": \"\"\n}\n```\n\n### Signing\n\nIf there is an error during signing, you may see an error like:\n\n```\nerror: gpg failed to sign the data\nfatal: failed to write commit object\n```\n\nWhen Git invokes signing tools, both stdout and stderr are captured which means\n`gitsign` cannot push back messages to shells interactively. If a TTY is\navailable, `gitsign` will output information to the TTY output directly. If a\nTTY is not available (e.g. in CI runners, etc.), you can use the `GITSIGN_LOG`\nenvironment variable to tee logs into a readable location for debugging.\n\n### Verification\n\n- `failed to verify detached signature: x509: certificate signed by unknown authority`\n\n This usually means the TUF root used to verify the commit is not the same as\n the root that was used to sign it. This can happen if you use multiple\n sigstore instances frequently (e.g. if you're a sigstore developer - sigstore\n staging). You can double check relevant environment variables by running\n `gitsign --version`.\n\n## Privacy\n\n### What data does Gitsign store?\n\nGitsign stores data in 2 places:\n\n1. Within the Git commit\n\n The commit itself contains a signed digest of the user commit content (e.g.\n author, committer, message, parents, etc.) along with the code signing\n certificate. This data is stored within the commit itself as part of your\n repository. See\n [Inspecting the Git commit signature](#inspecting-the-git-commit-signature)\n for more details.\n\n2. Within the Rekor transparency log\n\n To be able to verify signatures for ephemeral certs past their `Not After`\n time, Gitsign records commits and the code signing certificates to\n [Rekor](https://docs.sigstore.dev/rekor/overview/).\n\n - If `rekorMode = online` (default)\n\n This data is a\n [HashedRekord](https://github.com/sigstore/rekor/blob/e375eb461cae524270889b57a249ff086bea6c05/types.md#hashed-rekord)\n containing a SHA256 hash of the commit SHA, as well as the code signing\n certificate. See\n [Verifying the Transparency Log](#verifying-the-transparency-log) for more\n details.\n\n - If `rekorMode = offline`\n\n Note: offline verification is new, and should be considered experimental for\n now.\n\n By default, data is written to the\n [public Rekor instance](https://docs.sigstore.dev/rekor/public-instance). In\n particular, users and organizations may be sensitive to the data contained\n within code signing certificates returned by Fulcio, which may include user\n emails or repo identifiers. See\n [OIDC usage in Fulcio](https://github.com/sigstore/fulcio/blob/6ac6b8c94c3ec6106d68c0f92225016a3a6eef79/docs/oidc.md)\n for more details for what data is contained in the code signing certs, and\n [Deploy a Rekor Server Manually](https://docs.sigstore.dev/rekor/installation/#deploy-a-rekor-server-manually)\n for how to run your own Rekor instance.\n\n## Security\n\nShould you discover any security issues, please refer to the\n[security process](https://github.com/sigstore/gitsign/security/policy)\n\n## Advanced\n\n### Inspecting the Git commit signature\n\nGit commit signatures use\n[CMS/PKCS7 signatures](https://datatracker.ietf.org/doc/html/rfc5652). We can\ninspect the underlying data / certificate used by running:\n\n```sh\n$ git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text\nPKCS7:\n type: pkcs7-signedData (1.2.840.113549.1.7.2)\n d.sign:\n version: 1\n md_algs:\n algorithm: sha256 (2.16.840.1.101.3.4.2.1)\n parameter: \u003cABSENT\u003e\n contents:\n type: pkcs7-data (1.2.840.113549.1.7.1)\n d.data: \u003cABSENT\u003e\n cert:\n cert_info:\n version: 2\n serialNumber: 0x2ECFB7E0D25F9A741FC3B19B56C4B74D25864788\n signature:\n algorithm: ecdsa-with-SHA384 (1.2.840.10045.4.3.3)\n parameter: \u003cABSENT\u003e\n issuer: O=sigstore.dev, CN=sigstore-intermediate\n validity:\n notBefore: Jan 13 21:00:13 2023 GMT\n notAfter: Jan 13 21:10:13 2023 GMT\n subject:\n key:\n algor:\n algorithm: id-ecPublicKey (1.2.840.10045.2.1)\n parameter: OBJECT:prime256v1 (1.2.840.10045.3.1.7)\n public_key: (0 unused bits)\n 0000 - 04 0d 3e f5 05 98 53 d2-68 21 9d e7 88 07 ..\u003e...S.h!....\n 000e - 0a d9 bc 8e 9f e3 00 e0-5d 28 b2 41 24 a7 ........](.A$.\n 001c - a5 93 28 cc 45 d9 1e ee-a3 1c 8d 42 64 ab ..(.E......Bd.\n 002a - 14 e6 ec 41 29 77 3a 0e-95 94 33 f7 40 62 ...A)w:...3.@b\n 0038 - cd 25 fd 17 35 be 4d d4-f9 .%..5.M..\n issuerUID: \u003cABSENT\u003e\n subjectUID: \u003cABSENT\u003e\n extensions:\n object: X509v3 Key Usage (2.5.29.15)\n critical: TRUE\n value:\n 0000 - 03 02 07 80 ....\n\n object: X509v3 Extended Key Usage (2.5.29.37)\n critical: BOOL ABSENT\n value:\n 0000 - 30 0a 06 08 2b 06 01 05-05 07 03 03 0...+.......\n\n object: X509v3 Subject Key Identifier (2.5.29.14)\n critical: BOOL ABSENT\n value:\n 0000 - 04 14 46 eb 25 b9 3b 3d-87 71 6a eb ba ..F.%.;=.qj..\n 000d - e4 a4 4b b0 f1 17 4b 46-58 ..K...KFX\n\n object: X509v3 Authority Key Identifier (2.5.29.35)\n critical: BOOL ABSENT\n value:\n 0000 - 30 16 80 14 df d3 e9 cf-56 24 11 96 f9 0.......V$...\n 000d - a8 d8 e9 28 55 a2 c6 2e-18 64 3f ...(U....d?\n\n object: X509v3 Subject Alternative Name (2.5.29.17)\n critical: TRUE\n value:\n 0000 - 30 16 81 14 62 69 6c 6c-79 40 63 68 61 0...billy@cha\n 000d - 69 6e 67 75 61 72 64 2e-64 65 76 inguard.dev\n\n object: undefined (1.3.6.1.4.1.57264.1.1)\n critical: BOOL ABSENT\n value:\n 0000 - 68 74 74 70 73 3a 2f 2f-61 63 63 6f 75 https://accou\n 000d - 6e 74 73 2e 67 6f 6f 67-6c 65 2e 63 6f nts.google.co\n 001a - 6d m\n\n object: undefined (1.3.6.1.4.1.11129.2.4.2)\n critical: BOOL ABSENT\n value:\n 0000 - 04 7b 00 79 00 77 00 dd-3d 30 6a c6 c7 .{.y.w..=0j..\n 000d - 11 32 63 19 1e 1c 99 67-37 02 a2 4a 5e .2c....g7..J^\n 001a - b8 de 3c ad ff 87 8a 72-80 2f 29 ee 8e ..\u003c....r./)..\n 0027 - 00 00 01 85 ac ee dc fa-00 00 04 03 00 .............\n 0034 - 48 30 46 02 21 00 a1 e2-05 30 53 6f fb H0F.!....0So.\n 0041 - 05 28 b6 bb 41 77 a9 7c-21 f4 a9 49 8b .(..Aw.|!..I.\n 004e - f8 a6 1f 35 85 a7 40 b3-07 5c cb 04 02 ...5..@..\\...\n 005b - 21 00 f4 39 7b 17 5a 59-fa 10 1c f8 bf !..9{.ZY.....\n 0068 - 46 cd bc de cc e8 39 7a-03 d4 1c 78 e5 F.....9z...x.\n 0075 - b1 e7 7a ba 66 79 f2 c8- ..z.fy..\n sig_alg:\n algorithm: ecdsa-with-SHA384 (1.2.840.10045.4.3.3)\n parameter: \u003cABSENT\u003e\n signature: (0 unused bits)\n 0000 - 30 65 02 30 5b 7c d7 ea-7c 5f 68 76 0b da 50 0e.0[|..|_hv..P\n 000f - 14 cc bf 4c 65 07 70 68-52 33 9a 85 57 ce f5 ...Le.phR3..W..\n 001e - ff 18 5b 8b 08 76 2a dd-7d 1a 19 7f b6 90 be ..[..v*.}......\n 002d - ad 24 96 9a 2a 0a d6 02-31 00 ac 15 2b 1d 00 .$..*...1...+..\n 003c - 6e 26 95 66 c9 6d cd 7e-e0 cd 12 0e 60 8b f9 n\u0026.f.m.~....`..\n 004b - 38 a9 0a dc 01 28 9a 39-e3 cd c9 eb a5 0c 08 8....(.9.......\n 005a - 71 47 39 c8 dc 9d db c3-cf 8e f5 cd e9 qG9..........\n crl:\n \u003cEMPTY\u003e\n signer_info:\n version: 1\n issuer_and_serial:\n issuer: O=sigstore.dev, CN=sigstore-intermediate\n serial: 0x2ECFB7E0D25F9A741FC3B19B56C4B74D25864788\n digest_alg:\n algorithm: sha256 (2.16.840.1.101.3.4.2.1)\n parameter: \u003cABSENT\u003e\n auth_attr:\n object: contentType (1.2.840.113549.1.9.3)\n value.set:\n OBJECT:pkcs7-data (1.2.840.113549.1.7.1)\n\n object: signingTime (1.2.840.113549.1.9.5)\n value.set:\n UTCTIME:Jan 13 21:00:13 2023 GMT\n\n object: messageDigest (1.2.840.113549.1.9.4)\n value.set:\n OCTET STRING:\n 0000 - 21 e9 ce 7a 69 ff 22 57-43 a2 fc c9 12 !..zi.\"WC....\n 000d - 8a 67 c6 45 e7 31 88 4c-08 3f 26 9a 13 .g.E.1.L.?\u0026..\n 001a - ac 85 d6 6d f5 8e ...m..\n digest_enc_alg:\n algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)\n parameter: \u003cABSENT\u003e\n enc_digest:\n 0000 - 30 46 02 21 00 cc 5a 1e-9a 27 70 ba 1f 70 7d 0F.!..Z..'p..p}\n 000f - d6 f0 1c 56 f2 32 b3 d2-8f c4 63 dd 9c 82 cc ...V.2....c....\n 001e - 69 30 2c cd 9e 90 f9 02-21 00 82 43 0a f7 79 i0,.....!..C..y\n 002d - 64 41 14 6b 28 03 ac 38-2b a3 82 bd a8 a1 ea dA.k(..8+......\n 003c - 52 db cf f2 5f d4 84 4f-85 b4 53 53 R..._..O..SS\n unauth_attr:\n object: undefined (1.3.6.1.4.1.57264.3.8)\n value.set:\n INTEGER:6954358\n\n object: undefined (1.3.6.1.4.1.57264.3.9)\n value.set:\n INTEGER:6954357\n\n object: undefined (1.3.6.1.4.1.57264.3.1)\n value.set:\n INTEGER:1673643613\n\n object: undefined (1.3.6.1.4.1.57264.3.3)\n value.set:\n INTEGER:11117788\n\n object: undefined (1.3.6.1.4.1.57264.3.2)\n value.set:\n PRINTABLESTRING:c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\n\n object: undefined (1.3.6.1.4.1.57264.3.7)\n value.set:\n PRINTABLESTRING:373443ac6ee5e01d4bfa00666f79d5c7cee0380684ebe571fc98bdffea82f972\n\n object: undefined (1.3.6.1.4.1.57264.3.4)\n value.set:\n OCTET STRING:\n 0000 - 30 45 02 20 00 d0 88 ff-91 18 75 1c 90 0E. ......u..\n 000d - 4c aa f3 37 94 45 a8 ca-1e a4 de 60 10 L..7.E.....`.\n 001a - 0a 22 69 03 c9 2d d2 0e-1a 9f 02 21 00 .\"i..-.....!.\n 0027 - af cd 78 85 f2 66 5f 22-c5 d3 a2 5c fc ..x..f_\"...\\.\n 0034 - e2 c1 fe 0c f2 27 aa f0-fa fd 73 ca 5d .....'....s.]\n 0041 - 58 98 9c 00 df 5c X....\\\n\n object: undefined (1.3.6.1.4.1.57264.3.5)\n value.set:\n UTF8STRING:rekor.sigstore.dev - 2605736670972794746\n6954358\nNzRDrG7l4B1L+gBmb3nVx87gOAaE6+Vx/Ji9/+qC+XI=\nTimestamp: 1673643613823629328\n\n\\U2014 rekor.sigstore.dev wNI9ajBFAiB1IrUY3QV0nXQF0NFuo+1WtTRRYIKhaBI4rUj0Ry3WkwIhAI6D+kvZh+NhJ7Xi4HT0kPVB0nxGjR+cOHFOU1HJbUKF\n\n\n object: undefined (1.3.6.1.4.1.57264.3.6)\n value.set:\n SEQUENCE:\n 0:d=0 hl=4 l= 858 cons: SEQUENCE\n 4:d=1 hl=2 l= 64 prim: PRINTABLESTRING :be961775858a32f96c8d12fb8db3c3101bb4d8296f37f53f74dc2cb51c22a9ad\n 70:d=1 hl=2 l= 64 prim: PRINTABLESTRING :92bd4aedddebab9be5678442a28bcfbada3300e04c0726368796a6d8b32fd909\n 136:d=1 hl=2 l= 64 prim: PRINTABLESTRING :6e5a335c4b2f89e25d5be75ed0a724b154e0f53367bd4888c625d96f4a1e6b79\n 202:d=1 hl=2 l= 64 prim: PRINTABLESTRING :67bce8699de01f6fc9ac8865ee5b08ee3a6617b57328b59cc342c55a4067652b\n 268:d=1 hl=2 l= 64 prim: PRINTABLESTRING :f06fad8a06e8b60133ec7847be1586d517728f2da95f6e81ec9d1e4b1bbfc9d1\n 334:d=1 hl=2 l= 64 prim: PRINTABLESTRING :32f164dcc4d2ff3b095c4f2d2b4beb25223cffd028a53fae3cac98f70e4bbd83\n 400:d=1 hl=2 l= 64 prim: PRINTABLESTRING :1c3b03f4eff02f6405ef856350ffd03650d5de5271a65f0cee51ffe4fc6a99af\n 466:d=1 hl=2 l= 64 prim: PRINTABLESTRING :c73ab44c0792697f44a5e237a47fff42f9c4dbf869071ee08e95dec222917f09\n 532:d=1 hl=2 l= 64 prim: PRINTABLESTRING :e1e7772b7c20874ea1b3bebb2fd4ec5b496bcf45c338495ddbe93ae1fbcabe2c\n 598:d=1 hl=2 l= 64 prim: PRINTABLESTRING :5da6951fe16688f8a256fc9adf3ccda1806b811e2bc50caab99ee61ded6ef6a3\n 664:d=1 hl=2 l= 64 prim: PRINTABLESTRING :e7d67f5102ddeda58eda651dcba76876d01955a4eca9fce4caaf9e0ba7521cdd\n 730:d=1 hl=2 l= 64 prim: PRINTABLESTRING :616429db6c7d20c5b0eff1a6e512ea57a0734b94ae0bc7c914679463e01a7fba\n 796:d=1 hl=2 l= 64 prim: PRINTABLESTRING :5a4ad1534b1e770f02bfde0de15008a6971cf1ffbfa963fc9c2a644973a8d2d1\n-----BEGIN PKCS7-----\nMIIJ3gYJKoZIhvcNAQcCoIIJzzCCCcsCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\nhvcNAQcBoIICpTCCAqEwggInoAMCAQICFC7Pt+DSX5p0H8Oxm1bEt00lhkeIMAoG\nCCqGSM49BAMDMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2ln\nc3RvcmUtaW50ZXJtZWRpYXRlMB4XDTIzMDExMzIxMDAxM1oXDTIzMDExMzIxMTAx\nM1owADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABA0+9QWYU9JoIZ3niAcK2byO\nn+MA4F0oskEkp6WTKMxF2R7uoxyNQmSrFObsQSl3Og6VlDP3QGLNJf0XNb5N1Pmj\nggFGMIIBQjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYD\nVR0OBBYEFEbrJbk7PYdxauu65KRLsPEXS0ZYMB8GA1UdIwQYMBaAFN/T6c9WJBGW\n+ajY6ShVosYuGGQ/MCIGA1UdEQEB/wQYMBaBFGJpbGx5QGNoYWluZ3VhcmQuZGV2\nMCkGCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBiwYK\nKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAv\nKe6OAAABhazu3PoAAAQDAEgwRgIhAKHiBTBTb/sFKLa7QXepfCH0qUmL+KYfNYWn\nQLMHXMsEAiEA9Dl7F1pZ+hAc+L9GzbzezOg5egPUHHjlsed6umZ58sgwCgYIKoZI\nzj0EAwMDaAAwZQIwW3zX6nxfaHYL2lAUzL9MZQdwaFIzmoVXzvX/GFuLCHYq3X0a\nGX+2kL6tJJaaKgrWAjEArBUrHQBuJpVmyW3NfuDNEg5gi/k4qQrcASiaOePNyeul\nDAhxRznI3J3bw8+O9c3pMYIG/zCCBvsCAQEwTzA3MRUwEwYDVQQKEwxzaWdzdG9y\nZS5kZXYxHjAcBgNVBAMTFXNpZ3N0b3JlLWludGVybWVkaWF0ZQIULs+34NJfmnQf\nw7GbVsS3TSWGR4gwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3\nDQEHATAcBgkqhkiG9w0BCQUxDxcNMjMwMTEzMjEwMDEzWjAvBgkqhkiG9w0BCQQx\nIgQgIenOemn/IldDovzJEopnxkXnMYhMCD8mmhOshdZt9Y4wCgYIKoZIzj0EAwIE\nSDBGAiEAzFoemidwuh9wfdbwHFbyMrPSj8Rj3ZyCzGkwLM2ekPkCIQCCQwr3eWRB\nFGsoA6w4K6OCvaih6lLbz/Jf1IRPhbRTU6GCBdUwEwYKKwYBBAGDvzADCDEFAgNq\nHXYwEwYKKwYBBAGDvzADCTEFAgNqHXUwFAYKKwYBBAGDvzADATEGAgRjwcZdMBQG\nCisGAQQBg78wAwMxBgIEAKmk3DBQBgorBgEEAYO/MAMCMUITQGMwZDIzZDZhZDQw\nNjk3M2Y5NTU5ZjNiYTJkMWNhMDFmODQxNDdkOGZmYzViODQ0NWMyMjRmOThiOTU5\nMTgwMWQwUAYKKwYBBAGDvzADBzFCE0AzNzM0NDNhYzZlZTVlMDFkNGJmYTAwNjY2\nZjc5ZDVjN2NlZTAzODA2ODRlYmU1NzFmYzk4YmRmZmVhODJmOTcyMFcGCisGAQQB\ng78wAwQxSQRHMEUCIADQiP+RGHUckEyq8zeURajKHqTeYBAKImkDyS3SDhqfAiEA\nr814hfJmXyLF06Jc/OLB/gzyJ6rw+v1zyl1YmJwA31wwggEMBgorBgEEAYO/MAMF\nMYH9DIH6cmVrb3Iuc2lnc3RvcmUuZGV2IC0gMjYwNTczNjY3MDk3Mjc5NDc0Ngo2\nOTU0MzU4Ck56UkRyRzdsNEIxTCtnQm1iM25WeDg3Z09BYUU2K1Z4L0ppOS8rcUMr\nWEk9ClRpbWVzdGFtcDogMTY3MzY0MzYxMzgyMzYyOTMyOAoK4oCUIHJla29yLnNp\nZ3N0b3JlLmRldiB3Tkk5YWpCRkFpQjFJclVZM1FWMG5YUUYwTkZ1bysxV3RUUlJZ\nSUtoYUJJNHJVajBSeTNXa3dJaEFJNkQra3ZaaCtOaEo3WGk0SFQwa1BWQjBueEdq\nUitjT0hGT1UxSEpiVUtGCjCCA24GCisGAQQBg78wAwYxggNeMIIDWhNAYmU5NjE3\nNzU4NThhMzJmOTZjOGQxMmZiOGRiM2MzMTAxYmI0ZDgyOTZmMzdmNTNmNzRkYzJj\nYjUxYzIyYTlhZBNAOTJiZDRhZWRkZGViYWI5YmU1Njc4NDQyYTI4YmNmYmFkYTMz\nMDBlMDRjMDcyNjM2ODc5NmE2ZDhiMzJmZDkwORNANmU1YTMzNWM0YjJmODllMjVk\nNWJlNzVlZDBhNzI0YjE1NGUwZjUzMzY3YmQ0ODg4YzYyNWQ5NmY0YTFlNmI3ORNA\nNjdiY2U4Njk5ZGUwMWY2ZmM5YWM4ODY1ZWU1YjA4ZWUzYTY2MTdiNTczMjhiNTlj\nYzM0MmM1NWE0MDY3NjUyYhNAZjA2ZmFkOGEwNmU4YjYwMTMzZWM3ODQ3YmUxNTg2\nZDUxNzcyOGYyZGE5NWY2ZTgxZWM5ZDFlNGIxYmJmYzlkMRNAMzJmMTY0ZGNjNGQy\nZmYzYjA5NWM0ZjJkMmI0YmViMjUyMjNjZmZkMDI4YTUzZmFlM2NhYzk4ZjcwZTRi\nYmQ4MxNAMWMzYjAzZjRlZmYwMmY2NDA1ZWY4NTYzNTBmZmQwMzY1MGQ1ZGU1Mjcx\nYTY1ZjBjZWU1MWZmZTRmYzZhOTlhZhNAYzczYWI0NGMwNzkyNjk3ZjQ0YTVlMjM3\nYTQ3ZmZmNDJmOWM0ZGJmODY5MDcxZWUwOGU5NWRlYzIyMjkxN2YwORNAZTFlNzc3\nMmI3YzIwODc0ZWExYjNiZWJiMmZkNGVjNWI0OTZiY2Y0NWMzMzg0OTVkZGJlOTNh\nZTFmYmNhYmUyYxNANWRhNjk1MWZlMTY2ODhmOGEyNTZmYzlhZGYzY2NkYTE4MDZi\nODExZTJiYzUwY2FhYjk5ZWU2MWRlZDZlZjZhMxNAZTdkNjdmNTEwMmRkZWRhNThl\nZGE2NTFkY2JhNzY4NzZkMDE5NTVhNGVjYTlmY2U0Y2FhZjllMGJhNzUyMWNkZBNA\nNjE2NDI5ZGI2YzdkMjBjNWIwZWZmMWE2ZTUxMmVhNTdhMDczNGI5NGFlMGJjN2M5\nMTQ2Nzk0NjNlMDFhN2ZiYRNANWE0YWQxNTM0YjFlNzcwZjAyYmZkZTBkZTE1MDA4\nYTY5NzFjZjFmZmJmYTk2M2ZjOWMyYTY0NDk3M2E4ZDJkMQ==\n-----END PKCS7-----\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Fgitsign","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsigstore%2Fgitsign","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Fgitsign/lists"}