{"id":22281611,"url":"https://github.com/sigstore/sigstore-go","last_synced_at":"2025-04-06T12:10:05.222Z","repository":{"id":196934522,"uuid":"695286301","full_name":"sigstore/sigstore-go","owner":"sigstore","description":"Go library for Sigstore signing and verification","archived":false,"fork":false,"pushed_at":"2025-03-24T13:38:27.000Z","size":1292,"stargazers_count":60,"open_issues_count":24,"forks_count":29,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-03-30T11:07:38.398Z","etag":null,"topics":["go","golang","sigstore"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sigstore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-09-22T19:14:58.000Z","updated_at":"2025-03-26T14:43:29.000Z","dependencies_parsed_at":"2023-10-13T02:39:44.408Z","dependency_job_id":"7334c9cb-cca3-48aa-ba10-177a18f231f5","html_url":"https://github.com/sigstore/sigstore-go","commit_stats":{"total_commits":271,"total_committers":13,"mean_commits":"20.846153846153847","dds":0.6715867158671587,"last_synced_commit":"d947117fda9f510adb85a4bdec55ac9b22cd2663"},"previous_names":["github/sigstore-go","sigstore/sigstore-go"],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fsigstore-go","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fsigstore-go/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fsigstore-go/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fsigstore-go/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sigstore","download_url":"https://codeload.github.com/sigstore/sigstore-go/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247478323,"owners_count":20945266,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","sigstore"],"created_at":"2024-12-03T16:19:48.772Z","updated_at":"2025-04-06T12:10:05.192Z","avatar_url":"https://github.com/sigstore.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sigstore-go\n\nA client library for [Sigstore](https://www.sigstore.dev/), written in Go.\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/sigstore/sigstore-go.svg)](https://pkg.go.dev/github.com/sigstore/sigstore-go)\n[![Go Report Card](https://goreportcard.com/badge/github.com/sigstore/sigstore-go)](https://goreportcard.com/report/github.com/sigstore/sigstore-go)\n[![e2e-tests](https://github.com/sigstore/sigstore-go/actions/workflows/build.yml/badge.svg)](https://github.com/sigstore/sigstore-go/actions/workflows/build.yml)\n\nFeatures:\n- Signing and verification of [Sigstore bundles](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) compliant with Sigstore Client Spec\n- Verification of raw Sigstore signatures by creating bundles for them (see [conformance tests](test/conformance/main.go) for example)\n- Signing and verifying with a Timestamp Authority (TSA)\n- Signing and verifying (offline or online) with Rekor (Artifact Transparency Log)\n- Structured verification results including certificate metadata\n- TUF support\n- Verification support for custom [trusted root](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto)\n- Examples for signing and verifying artifacts\n\nThere is not built-in support for signing with a KMS or other bring-your-own-key; however you can easily add support by implementing your own version of the interface `pkg/sign/keys.go:Keypair`.\n\n## Background\n\nSigstore already has a canonical Go client implementation, [cosign](https://github.com/sigstore/cosign), which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. `sigstore-go` is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in [sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs). `sigstore-go` attempts to minimize the dependency tree for simple signing and verification tasks, omitting KMS support and container image verification, and we intend to refactor parts of `cosign` to depend on `sigstore-go`.\n\n## Status\n\n`sigstore-go` is currently beta, and may have minor API changes before the 1.0.0 release. It does however pass the [`sigstore-conformance`](https://github.com/sigstore/sigstore-conformance) signing and verification test suite, and correctness is taken very seriously.\n\n## Documentation and examples\n\nDocumentation is found in the [`docs`](./docs) subdirectory and on [pkg.go.dev](https://pkg.go.dev/github.com/sigstore/sigstore-go).\n\nSee the [examples directory](./examples/README.md) for examples of how to use this library.\n\nNote that the CLI examples are to demonstrate how to use the library, and not intended as a fully-featured Sigstore CLI like [cosign](https://github.com/sigstore/cosign).\n\n## Requirements\n\nTested with:\n\n- Unix-compatible OS and Windows\n- [Go 1.23](https://go.dev/doc/install)\n\nNote that we do not provide built versions of this library, but you can see what architectures your version of `go` supports with `go tool dist list`.\n\n## Testing\n\nTests are invoked using the standard Go testing framework. A helper exists in the Makefile also.\n\n```shell\n$ make test\n```\n\n## Example bundles\n\n### examples/bundle-provenance.json\n\nThis came from https://www.npmjs.com/package/sigstore/v/1.3.0/provenance, with the outermost \"bundle\" key stripped off.\n\n## Support\n\nBug reports are welcome via issues and questions are welcome via discussion. Please refer to [SUPPORT.md](./SUPPORT.md) for details.\nThis project is provided as-is.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Fsigstore-go","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsigstore%2Fsigstore-go","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Fsigstore-go/lists"}