Continuous integration | Docs | License | Crate version | Crate downloads |
---|---|---|---|---|
This is an experimental crate to interact with sigstore.
This is under high development, many features and checks are still missing.
Features
Verification
The crate implements the following verification mechanisms:
- Verify using a given key
- Verify bundle produced by transparency log (Rekor)
- Verify signature produced in keyless mode, using Fulcio Web-PKI
Signature annotations and certificate email can be provided at verification time.
OpenID Connect
For use with Fulcio ephemeral key signing, an OpenID connect API is available.
Known limitations
- The crate does not handle verification of attestations yet.
Examples
The examples
directory contains demo programs using the library.
Security
Should you discover any security issues, please refer to sigstores security process