| Continuous integration | Docs | License | Crate version | Crate downloads |
|---|---|---|---|---|
 |
 |
 |
 |
 |
This is an experimental crate to interact with sigstore.
This is under high development, many features and checks are still missing.
The crate implements the following verification mechanisms:
- Verify using a given key
- Verify bundle produced by transparency log (Rekor)
- Verify signature produced in keyless mode, using Fulcio Web-PKI
Signature annotations and certificate email can be provided at verification time.
For use with Fulcio ephemeral key signing, an OpenID connect API is available.
- The crate does not handle verification of attestations yet.
The examples directory contains demo programs using the library.
Should you discover any security issues, please refer to sigstores security process