/sigstore-js

Code-signing for npm packages

Primary LanguageTypeScriptApache License 2.0Apache-2.0

sigstore-js · CI Status Smoke Test Status

JavaScript libraries for interacting with Sigstore services.

Packages

  • sigstore - Client library implementing Sigstore signing/verification workflows.
  • @sigstore/bundle - TypeScript types and utility functions for working with Sigstore bundles.
  • @sigstore/cli - Command line interface for signing/verifying artifacts with Sigstore.
  • @sigstore/sign - Library for generating Sigstore signatures.
  • @sigstore/tuf - Library for interacting with the Sigstore TUF repository.
  • @sigstore/rekor-types - TypeScript types for the Sigstore Rekor REST API.
  • @sigstore/mock - Mocking library for Sigstore services.

Development

Changesets

If you are contributing a user-facing or noteworthy change that should be added to the changelog, you should include a changeset with your PR by running the following command:

npx changeset add

Follow the prompts to specify whether the change is a major, minor or patch change. This will create a file in the .changesets directory of the repo. This change should be committed and included with your PR.

Release Steps

Whenever a new changeset is merged to the "main" branch, the release workflow will open a PR (or append to the existing PR if one is already open) with the all of the pending changesets.

Publishing a release simply requires that you approve/merge this PR. This will trigger the publishing of the package to the npm registry and the creation of the GitHub release.

Licensing

sigstore-js is licensed under the Apache 2.0 License.

Contributing

See the contributing docs for details.

Code of Conduct

Everyone interacting with this project is expected to follow the sigstore Code of Conduct.

Security

Should you discover any security issues, please refer to sigstore's security process.

Info

sigstore-js is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.