Go Client Overview
sigstore-go is the Go language client library for Sigstore.
sigstore-go is intended as a minimal dependency library for signing and verifying. It’s not intended to replace cosign, which provides a CLI with many features for interacting with Sigstore. Over time, cosign will use sigstore-go for verification.
- Friendly API for integrating Go code with Sigstore
- Smaller dependency tree
- Focuses on newly specified data structures in sigstore/protobuf-specs
- Perfect for simple signing and verififcation tasks
sigstore-go is currently in beta.
Features
- Signing and verification of Sigstore bundles
- Verification of raw Sigstore signatures
- Signing and verifying with a Timestamp Authority (TSA)
- Online and offline signing and verifying with Rekor (Artifact Transparency Log)
- Structured verification results including certificate metadata
- TUF support
- Verification support for custom trusted root
- Basic CLI
Installation
Main CLI installation
sigstore-go requires Go 1.21 or greater. The package is tested with Go 1.23.
To compile/install the CLI, clone sigstore-go and run.
make install
Alternatively, you can use go run cmd/sigstore-go/main.go to access the CLI, as show in the example.
Example
CLI example
The following is an example of using the sigstore-go CLI to verify a signature.
go run cmd/sigstore-go/main.go \
-artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
-artifact-digest-algorithm sha512 \
-expectedIssuer https://token.actions.githubusercontent.com \
-expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \
examples/bundle-provenance.json
Verification successful!
{
"version": 20230823,
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": ...
},
...
}
Additional examples
Additional examples are available in the project documentation.