Note that we do not provide built versions of this library, but you can see what architectures your version of go supports with go tool dist list.

Ram 2500LEDLight barBumper mount

For an example of how to use this library, see the verification documentation, the CLI cmd/sigstore-go, or the CLI examples below. Note that the CLI is to demonstrate how to use the library, and not intended as a fully-featured Sigstore CLI like cosign.

Ram1500Light BarMount

5th GenRam light bar

There is not built-in support for signing with a KMS or other bring-your-own-key; however you can easily add support by implementing your own version of the interface pkg/sign/keys.go:Keypair.

sigstore-go is currently beta, and may have minor API changes before the 1.0.0 release. It does however pass the sigstore-conformance signing and verification test suite, and correctness is taken very seriously.

Sigstore already has a canonical Go client implementation, cosign, which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. sigstore-go is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in sigstore/protobuf-specs. sigstore-go attempts to minimize the dependency tree for simple signing and verification tasks, omitting KMS support and container image verification, and we intend to refactor parts of cosign to depend on sigstore-go.

Bug reports are welcome via issues and questions are welcome via discussion. Please refer to SUPPORT.md for details. This project is provided as-is.