sigstore/sigstore-rs
1
0
Fork 0
mirror of https://github.com/sigstore/sigstore-rs.git synced 2026-04-19 14:00:58 +02:00
Code Issues Projects Releases Packages Wiki Activity
An experimental Rust crate for sigstore https://docs.rs/sigstore/latest/sigstore/
920 commits 9 branches 25 tags 3.1 MiB
  • Rust 99.8%
  • Makefile 0.2%
Find a file
Exact
Flavio Castelli 65573a7f1c
 Merge pull request #556 from sigstore/dependabot/cargo/cached-0.59 
build(deps): update cached requirement from 0.56 to 0.59
2026-03-31 11:39:18 +02:00
.cargo ci: update cargo audit configuration 2025-09-01 17:10:11 +02:00
.github Merge pull request #552 from sigstore/dependabot/github_actions/zizmorcore/zizmor-action-0.5.2 2026-03-31 11:03:37 +02:00
examples refactor: Hash decoding to API boundary in LogInfo,ConsistencyProof 2025-12-17 18:05:30 +01:00
src chore: fix linter warning 2026-03-31 11:09:37 +02:00
tests chore: Audit features and optional dependencies 2025-02-25 13:48:45 +00:00
trust_root/prod Update embedded trust root 2025-02-06 11:55:20 +02:00
.gitignore Increase gitignore coverage (#78) 2022-07-13 09:34:00 +01:00
.taplo.toml ci: Add TOML format checks 2025-02-25 15:35:14 +00:00
Cargo.toml build(deps): update cached requirement from 0.56 to 0.59 2026-03-30 20:26:31 +00:00
CHANGELOG.md Tag 0.10.0 relase 2024-09-11 12:26:06 +02:00
clippy.toml ci: Add TOML format checks 2025-02-25 15:35:14 +00:00
CODE_OF_CONDUCT.md Sigstore Project Init 2021-10-22 14:28:30 +01:00
CODEOWNERS Add Xynnn007 as a maintainer (#128) 2022-09-20 10:46:59 +01:00
CONTRIBUTORS.md fix internal anchor links 2025-04-29 21:14:34 +02:00
COPYRIGHT.txt Sigstore Project Init 2021-10-22 14:28:30 +01:00
LICENSE initial implementation 2021-10-04 19:21:24 +02:00
Makefile ci: test wasm32-unknown-unknown target 2025-11-20 14:20:55 +01:00
README.md Add verify-blob example 2023-04-04 08:27:32 +02:00
rust-toolchain.toml Pin Rust toolchain to 1.85.0 for consistent builds 2025-11-03 07:39:01 +01:00

README.md

Continuous integration Docs License Crate version Crate downloads
Continuous integration Docs License: Apache 2.0 Crate version Crate downloads

A crate to interact with sigstore.

This crate is under active development and will not be considered stable until the 1.0 release.

Features

Cosign Sign and Verify

The crate implements the following verification mechanisms:

  • Sign using a cosign key and store the signature in a registry
  • Verify using a given key
  • Verify bundle produced by transparency log (Rekor)
  • Verify signature produced in keyless mode, using Fulcio Web-PKI

Signature annotations and certificate email can be provided at verification time.

Fulcio Integration

For use with Fulcio ephemeral key signing, an OpenID connect API is available, along with a fulcio client implementation.

Rekor Client

All rekor client APIs can be leveraged to interact with the transparency log.

Key Interface

Cryptographic key management with the following key interfaces:

  • Generate a key pair
  • Sign data
  • Verify signature
  • Export public / (encrypted) private key in PEM / DER format
  • Import public / (encrypted) private key in PEM / DER format

Known limitations

  • The crate does not handle verification of attestations yet.

Examples

The examples directory contains demo programs using the library.

Each example can be executed with the cargo run --example <name> command.

For example, openidconnect can be run with the following command:

cargo run --example openidconnect

WebAssembly/WASM support

To embedded this crate in WASM modules, build it using the wasm cargo feature:

cargo build --no-default-features --features wasm --target wasm32-unknown-unknown

NOTE: The wasm32-wasi target architecture is not yet supported.

Contributing

Contributions are welcome! Please see the contributing guidelines for more information.

Security

Should you discover any security issues, please refer to sigstores security process