sigstore-go
Definition
Sigstore-go is a Go client library for interacting with Sigstore, a project that aims to improve software supply chain security by enabling the signing, verification, and provenance tracking of software artifacts. It provides tools for developers to sign and verify container images, binaries, and other artifacts using cryptographic signatures, ensuring the integrity and authenticity of the software components.
Secure Settings Example
import (
"github.com/sigstore/sigstore-go/pkg/client"
"github.com/sigstore/sigstore-go/pkg/verify"
)
func verifySignature(artifactPath string, signaturePath string, publicKeyPath string) error {
verifier, err := verify.NewVerifier(publicKeyPath)
if err != nil {
return err
}
return verifier.VerifyFile(artifactPath, signaturePath)
}
Insecure Settings Example
import (
"github.com/sigstore/sigstore-go/pkg/client"
"github.com/sigstore/sigstore-go/pkg/verify"
)
func verifySignatureWithoutKey(artifactPath string, signaturePath string) error {
verifier, err := verify.NewVerifier("") // Empty public key path
if err != nil {
return err
}
return verifier.VerifyFile(artifactPath, signaturePath)
}