Bug#1085854: ITP: sigstore-go -- Go library for Sigstore signing and verification

To: submit@bugs.debian.org
Subject: Bug#1085854: ITP: sigstore-go -- Go library for Sigstore signing and verification
From: Simon Josefsson <simon@josefsson.org>
Date: Wed, 23 Oct 2024 01:02:50 +0200
Message-id: <[🔎] 877c9zwxk5.fsf@kaka.sjd.se>
Reply-to: Simon Josefsson <simon@josefsson.org>, 1085854@bugs.debian.org

Package: wnpp
Severity: wishlist
Owner: Simon Josefsson <simon@josefsson.org>

* Package name    : sigstore-go
  Version         : 0.6.2-1
  Upstream Author : sigstore
* URL             : https://github.com/sigstore/sigstore-go
* License         : Apache-2.0
  Programming Lang: Go
  Description     : Go library for Sigstore signing and verification

 sigstore-go
 .
 A client library for Sigstore (https://www.sigstore.dev/), written in
 Go.
 .
 Features:
 .
  * Signing and verification of Sigstore bundles
    (https://github.com/sigstore/protobuf-
    specs/blob/main/protos/sigstore_bundle.proto) compliant with Sigstore
    Client Spec
  * Verification of raw Sigstore signatures by creating bundles for them
    (see conformance tests (/cmd/conformance/main.go) for example)
  * Signing and verifying with a Timestamp Authority (TSA)
  * Signing and verifying (offline or online) with Rekor (Artifact
    Transparency Log)
  * Structured verification results including certificate metadata
  * TUF support
  * Verification support for custom trusted root
    (https://github.com/sigstore/protobuf-
    specs/blob/main/protos/sigstore_trustroot.proto)
  * Basic CLI and examples
 .
 There is not built-in support for signing with a KMS or other bring-your-
 own-key; however you can easily add support by implementing your own
 version of the interface pkg/sign/keys.go:Keypair.
 .
 For an example of how to use this library, see the verification
 documentation (/docs/verification.md), the CLI cmd/sigstore-go
 (/cmd/sigstore-go/main.go), or the CLI examples below. Note that the CLI
 is to demonstrate how to use the library, and not intended as a fully-
 featured Sigstore CLI like cosign (https://github.com/sigstore/cosign).
 .
 Background
 .
 Sigstore already has a canonical Go client implementation, cosign
 (https://github.com/sigstore/cosign), which was developed with a focus
 on container image signing/verification. It has a rich CLI and a long
 legacy of features and development. sigstore-go is a more minimal and
 friendly API for integrating Go code with Sigstore, with a focus on the
 newly specified data structures in sigstore/protobuf-specs
 (https://github.com/sigstore/protobuf-specs). sigstore-go attempts to
 minimize the dependency tree for simple signing and verification tasks,
 omitting KMS support and container image verification, and we intend to
 refactor parts of cosign to depend on sigstore-go.

I hope to maintain this package as part of Debian Go Packaging Team:

https://salsa.debian.org/go-team/packages/sigstore-go

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: efficient way to detect linker script files?
Next by Date: Bug#1085855: ITP: timestamp-authority -- RFC3161 Timestamp Authority
Previous by thread: Re: efficient way to detect linker script files?
Next by thread: Bug#1085855: ITP: timestamp-authority -- RFC3161 Timestamp Authority
Index(es):
- Date
- Thread