sigstore/sigstore contains common Sigstore code: that is, code shared by infrastructure (e.g., Fulcio and Rekor) and Go language clients (e.g., Cosign and Gitsign).
This library currently provides:
- A signing interface (support for ecdsa, ed25519, rsa, DSSE (in-toto))
- OpenID Connect fulcio client code
The following KMS systems are available:
- AWS Key Management Service
- Azure Key Vault
- HashiCorp Vault
- Google Cloud Platform Key Management Service
For example code, look at the relevant test code for each main code file.
The fuzzing tests are within
Should you discover any security issues, please refer to sigstores security process
For container signing, you want cosign