https://github.com/sigstore/sigstore-java
java clients for sigstore
https://github.com/sigstore/sigstore-java
Last synced: 3 months ago
JSON representation
java clients for sigstore
- Host: GitHub
- URL: https://github.com/sigstore/sigstore-java
- Owner: sigstore
- License: apache-2.0
- Created: 2022-02-16T21:32:12.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2025-04-03T16:10:04.000Z (3 months ago)
- Last Synced: 2025-04-06T09:12:29.934Z (3 months ago)
- Language: Java
- Homepage:
- Size: 2.51 MB
- Stars: 54
- Watchers: 8
- Forks: 21
- Open Issues: 30
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
[](https://maven-badges.herokuapp.com/maven-central/dev.sigstore/sigstore-java)
[](https://javadoc.io/doc/dev.sigstore/sigstore-java)
[](https://github.com/sigstore/sigstore-java/actions/workflows/ci.yaml)# sigstore-java
A sigstore java client for interacting with sigstore infrastructureYou can file [issues directly](https://github.com/sigstore/sigstore-java/issues) on this project or
if you have any questions message us on the [sigstore#java](https://sigstore.slack.com/archives/C03239XUL92)
slack channel## Minimum Requirements
* Java 11## Usage
### Build plugins
For use directly with your java build. See [maven](https://github.com/sigstore/sigstore-java/tree/main/sigstore-maven-plugin) or [gradle](https://github.com/sigstore/sigstore-java/tree/main/sigstore-gradle)
build plugin specifics.### Keyless Signing And Verification
#### Signing
```java
Path testArtifact = Paths.get("path/to/my/file.jar")// sign using the sigstore public instance
var signer = KeylessSigner.builder().sigstorePublicDefaults().build();
Bundle result = signer.signFile(testArtifact);// sigstore bundle format (serialized as .sigstore.json)
String bundleJson = result.toJson();
```#### Verification
##### Get artifact and bundle
```java
Path artifact = Paths.get("path/to/my-artifact");// import a json formatted sigstore bundle
Path bundleFile = Paths.get("path/to/my-artifact.sigstore.json");
Bundle bundle = Bundle.from(bundleFile, StandardCharsets.UTF_8);
```##### Configure verification options
```java
// add certificate policy to verify the identity of the signer
VerificationOptions options = VerificationOptions.builder().addCertificateMatchers(
CertificateMatcher.fulcio()
.subjectAlternativeName(StringMatcher.string("[email protected]"))
.issuer(StringMatcher.string("https://accounts.example.com"))
.build());
```##### Do verification
```java
try {
// verify using the sigstore public instance
var verifier = new KeylessVerifier.builder().sigstorePublicDefaults().build();
verifier.verify(artifact, bundle, verificationOptions);
// verification passed!
} catch (KeylessVerificationException e) {
// verification failed
}
```#### Verifying DSSE Bundles
sigstore-java doesn't create DSSE bundles yet, but it can verify the signatures over them with the same
KeylessVerifier workflow detailed above. While sigstore-java inspects the [embedded payload](https://docs.sigstore.dev/about/bundle/#dsse)
to ensure the provided artifact is a subject in the [in-toto statement](https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md)
it is not able to make any further assertions about the payload. Consumers of DSSE bundles should inspect
the embedded payload to verify extended attestation data using tools like [slsa-verifier](https://github.com/slsa-framework/slsa-verifier).### Exploring the API
The public stable API is limited to [`dev.sigstore.KeylessSigner`](https://javadoc.io/doc/dev.sigstore/sigstore-java/latest/dev/sigstore/KeylessSigner.html) and [`dev.sigstore.KeylessVerifier`](https://javadoc.io/doc/dev.sigstore/sigstore-java/latest/dev/sigstore/KeylessVerifier.html) and the classes exposed by those APIs. Other classes in the library are subject to change without notice.
You can browse Javadoc at https://javadoc.io/doc/dev.sigstore/sigstore-java.
To build and view javadoc from the sources, use the following command:
```sh
$ ./gradlew javadoc
$ "my-favorite-browser" ./sigstore-java/build/docs/javadoc/index.html
```