Adding information on sigstore-go

content/en/language_clients/go/_index.html

@@ -0,0 +1,11 @@
+---
+type: docs
+title: "Go"
+description: "Go Language Client"
+lead: "Go Language Client"
+date: 2024-10-06T08:49:15+00:00
+lastmod: 2024-10-06T08:49:15+00:00
+draft: false
+images: []
+weight: 60
+---

content/en/language_clients/go/overview.md

@@ -0,0 +1,75 @@
+---
+type: docs
+category: Go
+title: Go Client Overview
+weight: 5
+---
+
+[`sigstore-go`](https://pkg.go.dev/github.com/sigstore/sigstore-go) is the Go language client library for Sigstore.
+
+`sigstore-go` is intended as a minimal dependency library for signing and verifying. It's not intended to replace [cosign](../../cosign/signing/overview.md), which provides a CLI with many features for interacting with Sigstore. Over time, `cosign` will use `sigstore-go` for verification.
+
+- Friendly API for integrating Go code with Sigstore
+- Smaller dependency tree
+- Focuses on newly specified data structures in [sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs)
+- Perfect for simple signing and verififcation tasks
+
+`sigstore-go` is currently in beta.
+
+## Features
+
+- Signing and verification of [Sigstore bundles](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto)
+- Verification of raw Sigstore signatures
+- Signing and verifying with a Timestamp Authority (TSA)
+- Online and offline signing and verifying with Rekor (Artifact Transparency Log)
+- Structured verification results including certificate metadata
+- TUF support
+- Verification support for custom [trusted root](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto)
+- Basic CLI
+
+## Installation
+
+### Main CLI installation
+
+`sigstore-go` requires Go 1.21 or greater. The package is tested with Go 1.23.
+
+To compile/install the CLI, clone [`sigstore-go`](https://github.com/sigstore/sigstore-go) and run.
+
+```console
+make install
+```
+
+Alternatively, you can use `go run cmd/sigstore-go/main.go` to access the CLI, as show in the [example](#cli-example).
+
+## Example
+
+### CLI example
+
+The following is an example of using the sigstore-go CLI to verify a signature.
+
+```console
+go run cmd/sigstore-go/main.go \
+  -artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
+  -artifact-digest-algorithm sha512 \
+  -expectedIssuer https://token.actions.githubusercontent.com \
+  -expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \
+  examples/bundle-provenance.json
+Verification successful!
+{
+   "version": 20230823,
+   "statement": {
+      "_type": "https://in-toto.io/Statement/v0.1",
+      "predicateType": "https://slsa.dev/provenance/v0.2",
+      "subject": ...
+    },
+    ...
+}
+```
+
+### Additional examples
+
+Additional examples are available in the [project documentation](https://github.com/sigstore/sigstore-go#sigstore-go).
+
+- [Signing example](https://github.com/sigstore/sigstore-go/blob/main/docs/signing.md#examples)
+- [Verifying example](https://github.com/sigstore/sigstore-go/blob/main/docs/verification.md#verification-using-sigstore-go)
+- [OCI image verifying example](https://github.com/sigstore/sigstore-go/blob/main/docs/oci-image-verification.md#example-of-oci-image-verification-using-sigstore-go)

content/en/language_clients/language_client_overview.md

@@ -14,6 +14,6 @@ Sigstore has clients for the following language ecosystems:
 - [Ruby](https://github.com/sigstore/sigstore-ruby#sigstore)
 - [JavaScript](https://github.com/sigstore/sigstore-js#sigstore-js---)
 - [Java](https://github.com/sigstore/sigstore-java#sigstore-java)
-- [Go](https://github.com/sigstore/sigstore-go#sigstore-go)
+- [Go](../go/overview)
 
 Language client documentation is hosted in the individual project repositories. Project summaries are currently being added to the main Sigstore documentation.