sigstore-java
Definition
Sigstore-java is a Java library that provides tools for signing, verifying, and managing software artifacts using the Sigstore ecosystem. It is designed to enhance the security of software supply chains by enabling developers to cryptographically sign their code and verify signatures using public transparency logs, thereby ensuring the integrity and authenticity of software components.
Secure Settings Example
import dev.sigstore.KeylessSigner;
import dev.sigstore.KeylessVerification;
import dev.sigstore.VerificationResult;
// Initialize the signer with secure defaults
KeylessSigner signer = KeylessSigner.builder()
.useFulcio()
.useRekor()
.build();
// Sign the artifact
byte[] artifact = ...; // your artifact bytes
byte[] signature = signer.sign(artifact);
// Verify the signature
KeylessVerification verifier = KeylessVerification.builder()
.useFulcio()
.useRekor()
.build();
VerificationResult result = verifier.verify(artifact, signature);
if (result.isValid()) {
System.out.println("Signature is valid and verified.");
}
Insecure Settings Example
import dev.sigstore.KeylessSigner;
import dev.sigstore.KeylessVerification;
// Initialize the signer without specifying Fulcio or Rekor
KeylessSigner signer = KeylessSigner.builder().build();
// Sign the artifact without verification
byte[] artifact = ...; // your artifact bytes
byte[] signature = signer.sign(artifact);
// Verify the signature without using transparency logs
KeylessVerification verifier = KeylessVerification.builder().build();
boolean isValid = verifier.verify(artifact, signature).isValid();
if (isValid) {
System.out.println("Signature is valid.");
} else {
System.out.println("Signature verification failed.");
}