Giters

priyawadhwa / sigstore

Signing prototype

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

sigstore framework

Fuzzing Status

sigstore/sigstore is a generic library / framework that is utilized by various other clients and projects including fulcio (webPKI), cosign (container and OCI signing tool) and tektoncd/chains (Supply Chain Security in Tekton Pipelines).

sigstore is a good candidate for anyone wanting to develop go based clients / systems and utilise existing go modules for common sigstore functionality.

This library currently provides:

  • A signing interface (support for ecdsa, ed25519, rsa, DSSE (in-toto))
  • OpenID Connect fulcio client code

The following KMS systems are available:

  • AWS Key Management Service
  • Azure Key Vault
  • HashiCorp Vault
  • Google Cloud Platform Key Management Service

For example code, look at the relevant test code for each main code file.

Fuzzing

The fuzzing tests are within https://github.com/sigstore/sigstore/tree/main/test/fuzz

Security

Should you discover any security issues, please refer to sigstores security process

For container signing, you want cosign

About

Signing prototype

License:Apache License 2.0

Languages

Language:Go 98.6%Language:Makefile 0.9%Language:Shell 0.5%