Merge pull request #1 from github/readme-updates

Update README and rename to sigstore-go
sigstore · Sep 26, 2023 · e43962e · e43962e
2 parents 06f3495 + 15aa4e7
commit e43962e
Show file tree

Hide file tree

Showing 27 changed files with 84 additions and 58 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,3 @@
 .idea
-/sigstore-verifier
+/sigstore-go
 /tufdata
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 .PHONY: build
 build:
-	go build ./cmd/sigstore-verifier
+	go build ./cmd/sigstore-go
 	go build -o conformance ./cmd/conformance
 
 .PHONY: test

diff --git a/README.md b/README.md
@@ -1,30 +1,52 @@
-# sigstore-verifier
+# sigstore-go
 
-A Go client library for [Sigstore](https://www.sigstore.dev/)
+A client library for [Sigstore](https://www.sigstore.dev/), written in Go.
 
-This library focused on verifying Sigstore bundles, although it can also verify signature files by creating a bundle for them.
+Features:
+- Verification of [Sigstore bundles](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) compliant with Sigstore Client Spec
+- Verification of raw Sigstore signatures by creating bundles for them (see [conformance tests](cmd/conformance/main.go) for example)
+- Timestamp Authority (TSA) verification
+- Rekor (Artifact Transparency Log) verificaton (offline or online)
+- Structured verification results including certificate metadata
+- TUF support
+- Support for custom [trusted root](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto)
+- Basic CLI
 
-It supports a wide variety of use cases through the [verification options](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_verification.proto).
+For an example of how to use this library, see [cmd/sigstore-go](./cmd/sigstore-go/main.go), or see the CLI examples below.
 
-For an example of how to use this library, see [cmd/sigstore-verifier](./cmd/sigstore-verifier/main.go).
+## Background
 
+Sigstore already has a canonical Go client implementation, [cosign](https://github.com/sigstore/cosign), which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. `sigstore-go` is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in [sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs).
+
+## Requirements
+
+- Unix-compatible OS
+- [Go 1.21](https://go.dev/doc/install)
+
+## Installation
+
+You can use the CLI with `go run` as in the below examples, or compile/install the `sigstore-go` CLI:
+
+```bash
+$ make install
+```
 ## Examples
 
 ```bash
-$ go run cmd/sigstore-verifier/main.go -trustedrootJSONpath examples/trusted-root-public-good.json examples/bundle-provenance.json
+$ go run cmd/sigstore-go/main.go -trustedrootJSONpath examples/trusted-root-public-good.json examples/bundle-provenance.json
 Verification successful!
 ```
 
 ```bash
-$ go run cmd/sigstore-verifier/main.go -tufRootURL tuf-repo-cdn.sigstore.dev examples/bundle-provenance.json
+$ go run cmd/sigstore-go/main.go -tufRootURL tuf-repo-cdn.sigstore.dev examples/bundle-provenance.json
 Verification successful!
 ```
 
 Alternatively, you can install a binary of the CLI like so:
 
 ```shell
-$ go install ./cmd/sigstore-verifier
-$ sigstore-verifier examples/bundle-provenance.json
+$ go install ./cmd/sigstore-go
+$ sigstore-go examples/bundle-provenance.json
 ```
 
 ## Testing
@@ -45,6 +67,10 @@ This came from https://www.npmjs.com/package/sigstore/v/1.3.0/provenance, with t
 
 This project is licensed under the terms of the MIT open source license. Please refer to [MIT](./LICENSE.txt) for the full terms.
 
+## Maintainers
+
+This library is maintained by the Package Security team and Sigstore members, including @codysoyland, @steiza, @phillmv, and others. See [CODEOWNERS](./CODEOWNERS) for current reviewers.
+
 ## Support
 
 Bug reports are welcome via issues and questions are welcome via discussion. Please refer to [SUPPORT.md](./SUPPORT.md) for details.

diff --git a/SUPPORT.md b/SUPPORT.md
@@ -6,7 +6,7 @@ This project uses GitHub issues to track bugs and feature requests. Please searc
 
 For help or questions about using this project, please use discussions.
 
-`sigstore-verifier` is under active development and maintained by GitHub staff **AND THE COMMUNITY**. We will do our best to respond to support, feature requests, and community questions in a timely manner.
+`sigstore-go` is under active development and maintained by GitHub staff **AND THE COMMUNITY**. We will do our best to respond to support, feature requests, and community questions in a timely manner.
 
 ## GitHub Support Policy
 

diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go
@@ -13,10 +13,10 @@ import (
 	protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1"
 	protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
 
-	"github.com/github/sigstore-verifier/pkg/bundle"
-	"github.com/github/sigstore-verifier/pkg/root"
-	"github.com/github/sigstore-verifier/pkg/tuf"
-	"github.com/github/sigstore-verifier/pkg/verify"
+	"github.com/github/sigstore-go/pkg/bundle"
+	"github.com/github/sigstore-go/pkg/root"
+	"github.com/github/sigstore-go/pkg/tuf"
+	"github.com/github/sigstore-go/pkg/verify"
 )
 
 var bundlePath *string

diff --git a/cmd/sigstore-verifier/main.go → cmd/sigstore-go/main.go b/cmd/sigstore-verifier/main.go → cmd/sigstore-go/main.go
@@ -13,10 +13,10 @@ import (
 	"os"
 	"time"
 
-	"github.com/github/sigstore-verifier/pkg/bundle"
-	"github.com/github/sigstore-verifier/pkg/root"
-	"github.com/github/sigstore-verifier/pkg/tuf"
-	"github.com/github/sigstore-verifier/pkg/verify"
+	"github.com/github/sigstore-go/pkg/bundle"
+	"github.com/github/sigstore-go/pkg/root"
+	"github.com/github/sigstore-go/pkg/tuf"
+	"github.com/github/sigstore-go/pkg/verify"
 	"github.com/sigstore/sigstore/pkg/signature"
 )
 

diff --git a/go.mod b/go.mod
@@ -1,4 +1,4 @@
-module github.com/github/sigstore-verifier
+module github.com/github/sigstore-go
 
 go 1.21
 

diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go
@@ -15,8 +15,8 @@ import (
 	"golang.org/x/mod/semver"
 	"google.golang.org/protobuf/encoding/protojson"
 
-	"github.com/github/sigstore-verifier/pkg/tlog"
-	"github.com/github/sigstore-verifier/pkg/verify"
+	"github.com/github/sigstore-go/pkg/tlog"
+	"github.com/github/sigstore-go/pkg/verify"
 )
 
 const SigstoreBundleMediaType01 = "application/vnd.dev.sigstore.bundle+json;version=0.1"

diff --git a/pkg/bundle/signature_content.go b/pkg/bundle/signature_content.go
@@ -4,7 +4,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 
-	"github.com/github/sigstore-verifier/pkg/verify"
+	"github.com/github/sigstore-go/pkg/verify"
 	"github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )

diff --git a/pkg/bundle/verification_content.go b/pkg/bundle/verification_content.go
@@ -5,8 +5,8 @@ import (
 	"crypto/x509"
 	"time"
 
-	"github.com/github/sigstore-verifier/pkg/root"
-	"github.com/github/sigstore-verifier/pkg/verify"
+	"github.com/github/sigstore-go/pkg/root"
+	"github.com/github/sigstore-go/pkg/verify"
 )
 
 type CertificateChain struct {

diff --git a/pkg/fulcio/certificate/summarize_test.go b/pkg/fulcio/certificate/summarize_test.go
@@ -3,8 +3,8 @@ package certificate_test
 import (
 	"testing"
 
-	"github.com/github/sigstore-verifier/pkg/fulcio/certificate"
-	"github.com/github/sigstore-verifier/pkg/testing/data"
+	"github.com/github/sigstore-go/pkg/fulcio/certificate"
+	"github.com/github/sigstore-go/pkg/testing/data"
 	"github.com/stretchr/testify/assert"
 )
 

diff --git a/pkg/testing/ca/ca.go b/pkg/testing/ca/ca.go
@@ -21,10 +21,10 @@ import (
 
 	"github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer"
 	"github.com/digitorus/timestamp"
-	"github.com/github/sigstore-verifier/pkg/bundle"
-	"github.com/github/sigstore-verifier/pkg/root"
-	"github.com/github/sigstore-verifier/pkg/tlog"
-	"github.com/github/sigstore-verifier/pkg/verify"
+	"github.com/github/sigstore-go/pkg/bundle"
+	"github.com/github/sigstore-go/pkg/root"
+	"github.com/github/sigstore-go/pkg/tlog"
+	"github.com/github/sigstore-go/pkg/verify"
 	"github.com/go-openapi/runtime"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/rekor/pkg/generated/models"

diff --git a/pkg/testing/data/data.go b/pkg/testing/data/data.go
@@ -6,8 +6,8 @@ import (
 	"os"
 	"testing"
 
-	"github.com/github/sigstore-verifier/pkg/bundle"
-	"github.com/github/sigstore-verifier/pkg/root"
+	"github.com/github/sigstore-go/pkg/bundle"
+	"github.com/github/sigstore-go/pkg/root"
 	protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1"
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/protobuf/encoding/protojson"

diff --git a/pkg/tlog/entry.go b/pkg/tlog/entry.go
@@ -27,7 +27,7 @@ import (
 	rekorVerify "github.com/sigstore/rekor/pkg/verify"
 	"github.com/sigstore/sigstore/pkg/signature"
 
-	"github.com/github/sigstore-verifier/pkg/root"
+	"github.com/github/sigstore-go/pkg/root"
 )
 
 type Entry struct {

diff --git a/pkg/verify/certificate.go b/pkg/verify/certificate.go
@@ -5,7 +5,7 @@ import (
 	"errors"
 	"time"
 
-	"github.com/github/sigstore-verifier/pkg/root"
+	"github.com/github/sigstore-go/pkg/root"
 )
 
 func VerifyLeafCertificate(observerTimestamp time.Time, leafCert x509.Certificate, trustedMaterial root.TrustedMaterial) error { // nolint: revive

diff --git a/pkg/verify/certificate_identity.go b/pkg/verify/certificate_identity.go
@@ -5,7 +5,7 @@ import (
 	"errors"
 	"regexp"
 
-	"github.com/github/sigstore-verifier/pkg/fulcio/certificate"
+	"github.com/github/sigstore-go/pkg/fulcio/certificate"
 )
 
 type SubjectAlternativeNameMatcher struct {

diff --git a/pkg/verify/certificate_identity_test.go b/pkg/verify/certificate_identity_test.go
@@ -3,7 +3,7 @@ package verify
 import (
 	"testing"
 
-	"github.com/github/sigstore-verifier/pkg/fulcio/certificate"
+	"github.com/github/sigstore-go/pkg/fulcio/certificate"
 	"github.com/stretchr/testify/assert"
 )
 

diff --git a/pkg/verify/interface.go b/pkg/verify/interface.go
@@ -5,8 +5,8 @@ import (
 	"errors"
 	"time"
 
-	"github.com/github/sigstore-verifier/pkg/root"
-	"github.com/github/sigstore-verifier/pkg/tlog"
+	"github.com/github/sigstore-go/pkg/root"
+	"github.com/github/sigstore-go/pkg/tlog"
 	"github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"

diff --git a/pkg/verify/sct.go b/pkg/verify/sct.go
@@ -5,7 +5,7 @@ import (
 	"encoding/hex"
 	"fmt"
 
-	"github.com/github/sigstore-verifier/pkg/root"
+	"github.com/github/sigstore-go/pkg/root"
 	"github.com/google/certificate-transparency-go/ctutil"
 	ctx509 "github.com/google/certificate-transparency-go/x509"
 	"github.com/google/certificate-transparency-go/x509util"

diff --git a/pkg/verify/signature.go b/pkg/verify/signature.go
@@ -10,7 +10,7 @@ import (
 	"hash"
 	"io"
 
-	"github.com/github/sigstore-verifier/pkg/root"
+	"github.com/github/sigstore-go/pkg/root"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/sigstore/pkg/signature"
 	sigdsse "github.com/sigstore/sigstore/pkg/signature/dsse"

diff --git a/pkg/verify/signature_test.go b/pkg/verify/signature_test.go
@@ -7,8 +7,8 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/github/sigstore-verifier/pkg/testing/ca"
-	"github.com/github/sigstore-verifier/pkg/verify"
+	"github.com/github/sigstore-go/pkg/testing/ca"
+	"github.com/github/sigstore-go/pkg/verify"
 	"github.com/stretchr/testify/assert"
 )
 

diff --git a/pkg/verify/signed_entity.go b/pkg/verify/signed_entity.go
@@ -6,8 +6,8 @@ import (
 	"io"
 	"time"
 
-	"github.com/github/sigstore-verifier/pkg/fulcio/certificate"
-	"github.com/github/sigstore-verifier/pkg/root"
+	"github.com/github/sigstore-go/pkg/fulcio/certificate"
+	"github.com/github/sigstore-go/pkg/root"
 	"github.com/in-toto/in-toto-golang/in_toto"
 )
 

diff --git a/pkg/verify/signed_entity_test.go b/pkg/verify/signed_entity_test.go
@@ -6,9 +6,9 @@ import (
 
 	"encoding/json"
 
-	"github.com/github/sigstore-verifier/pkg/fulcio/certificate"
-	"github.com/github/sigstore-verifier/pkg/testing/data"
-	v "github.com/github/sigstore-verifier/pkg/verify"
+	"github.com/github/sigstore-go/pkg/fulcio/certificate"
+	"github.com/github/sigstore-go/pkg/testing/data"
+	v "github.com/github/sigstore-go/pkg/verify"
 	"github.com/stretchr/testify/assert"
 )
 

diff --git a/pkg/verify/tlog.go b/pkg/verify/tlog.go
@@ -16,8 +16,8 @@ import (
 	rekorVerify "github.com/sigstore/rekor/pkg/verify"
 	"github.com/sigstore/sigstore/pkg/signature"
 
-	"github.com/github/sigstore-verifier/pkg/root"
-	"github.com/github/sigstore-verifier/pkg/tlog"
+	"github.com/github/sigstore-go/pkg/root"
+	"github.com/github/sigstore-go/pkg/tlog"
 )
 
 // VerifyArtifactTransparencyLog verifies that the given entity has been logged

diff --git a/pkg/verify/tlog_test.go b/pkg/verify/tlog_test.go
@@ -4,9 +4,9 @@ import (
 	"testing"
 	"time"
 
-	"github.com/github/sigstore-verifier/pkg/testing/ca"
-	"github.com/github/sigstore-verifier/pkg/tlog"
-	"github.com/github/sigstore-verifier/pkg/verify"
+	"github.com/github/sigstore-go/pkg/testing/ca"
+	"github.com/github/sigstore-go/pkg/tlog"
+	"github.com/github/sigstore-go/pkg/verify"
 	"github.com/stretchr/testify/assert"
 )
 

diff --git a/pkg/verify/tsa.go b/pkg/verify/tsa.go
@@ -9,7 +9,7 @@ import (
 
 	tsaverification "github.com/sigstore/timestamp-authority/pkg/verification"
 
-	"github.com/github/sigstore-verifier/pkg/root"
+	"github.com/github/sigstore-go/pkg/root"
 )
 
 // VerifyTimestampAuthority verifies that the given entity has been timestamped

diff --git a/pkg/verify/tsa_test.go b/pkg/verify/tsa_test.go
@@ -4,9 +4,9 @@ import (
 	"testing"
 	"time"
 
-	"github.com/github/sigstore-verifier/pkg/root"
-	"github.com/github/sigstore-verifier/pkg/testing/ca"
-	"github.com/github/sigstore-verifier/pkg/verify"
+	"github.com/github/sigstore-go/pkg/root"
+	"github.com/github/sigstore-go/pkg/testing/ca"
+	"github.com/github/sigstore-go/pkg/verify"
 	"github.com/stretchr/testify/assert"
 )