JavaScript Client Overview
sigstore-js is a collection of javascript libraries for interacting with Sigstore.
The main package,sigstore, is a JavaScript library for generating and verifying Sigstore signatures. One of the intended uses is to sign and verify npm packages but it can be used to sign and verify any file.
Full project documentation can be found in the sigstore-js project README and in each package README.
Features
- Support for signing using an OpenID Connect identity
- Support for publishing signatures to a Rekor instance
- Support for verifying Sigstore bundles
Installation
sigstore requires Node.js version >= 18.17.0.
To install sigstore run the following command:
npm install sigstore
Example
To use sigstore, import the following into your project using the following:
const { sign, verify } = require('sigstore');
import { sign, verify } from 'sigstore';
Signing example
const bundle = await sign(Buffer.from('hello world'));
There are a number of optional arguments that can be used with the sign function. Additional information is available in the project repository.
The sign function will return a JSON-encoded Sigstore bundle which includes the signature and the necessary verification material.
Verifying example
The following function will verify the previously signed message:
verify(bundle, Buffer.from('hello world'), { certificateIssuer: 'https://token.actions.githubusercontent.com/' });
More information on optional arguments can be found in the project documentation
Additional Packages
The sigstore-js project includes additional functionality through its scoped packages.
@sigstore/bundle- TypeScript types and utility functions for working with Sigstore bundles.@sigstore/cli- Command line interface for signing/verifying artifacts with Sigstore.@sigstore/sign- Library for generating Sigstore signatures.@sigstore/tuf- Library for interacting with the Sigstore TUF repository.@sigstore/rekor-types- TypeScript types for the Sigstore Rekor REST API.@sigstore/mock- Mocking library for Sigstore services.