From 9e3e5d8624a6a08ff6584961b8330d1743324890 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Tue, 26 Sep 2023 10:41:05 -0400 Subject: [PATCH 1/3] Update README --- README.md | 36 +++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 5f6b4040..9bce6689 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,35 @@ -# sigstore-verifier +# sigstore-go -A Go client library for [Sigstore](https://www.sigstore.dev/) +A client library for [Sigstore](https://www.sigstore.dev/), written in Go. -This library focused on verifying Sigstore bundles, although it can also verify signature files by creating a bundle for them. +Features: +- Verification of [Sigstore bundles](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) compliant with Sigstore Client Spec +- Verification of raw Sigstore signatures by creating bundles for them (see [conformance tests](cmd/conformance/main.go) for example) +- Timestamp Authority (TSA) verification +- Rekor (Artifact Transparency Log) verificaton (offline or online) +- Structured verification results including certificate metadata +- TUF support +- Support for custom [trusted root](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto) +- Basic CLI -It supports a wide variety of use cases through the [verification options](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_verification.proto). +For an example of how to use this library, see [cmd/sigstore-verifier](./cmd/sigstore-verifier/main.go), or see the CLI examples below. -For an example of how to use this library, see [cmd/sigstore-verifier](./cmd/sigstore-verifier/main.go). +## Background +Sigstore already has a canonical Go client implementation, [cosign](https://github.com/sigstore/cosign), which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. `sigstore-go` is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in [sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs). + +## Requirements + +- Unix-compatible OS +- [Go 1.21](https://go.dev/doc/install) + +## Installation + +You can use the CLI with `go run` as in the below examples, or compile/install the `sigstore-verifier` CLI: + +```bash +$ make install +``` ## Examples ```bash @@ -45,6 +67,10 @@ This came from https://www.npmjs.com/package/sigstore/v/1.3.0/provenance, with t This project is licensed under the terms of the MIT open source license. Please refer to [MIT](./LICENSE.txt) for the full terms. +## Maintainers + +This library is maintained by the Package Security team and Sigstore members, including @codysoyland, @steiza, @phillmv, and others. See [CODEOWNERS](./CODEOWNERS) for current reviewers. + ## Support Bug reports are welcome via issues and questions are welcome via discussion. Please refer to [SUPPORT.md](./SUPPORT.md) for details. From 70f759edc768c27ff8cfcaa4c8edb95d12d9d70d Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Tue, 26 Sep 2023 14:33:43 -0400 Subject: [PATCH 2/3] Rename sigstore-verifier to sigstore-go --- .gitignore | 2 +- Makefile | 2 +- README.md | 12 ++++++------ SUPPORT.md | 2 +- cmd/conformance/main.go | 8 ++++---- cmd/sigstore-verifier/main.go | 8 ++++---- go.mod | 2 +- pkg/bundle/bundle.go | 4 ++-- pkg/bundle/signature_content.go | 2 +- pkg/bundle/verification_content.go | 4 ++-- pkg/fulcio/certificate/summarize_test.go | 4 ++-- pkg/testing/ca/ca.go | 8 ++++---- pkg/testing/data/data.go | 4 ++-- pkg/tlog/entry.go | 2 +- pkg/verify/certificate.go | 2 +- pkg/verify/certificate_identity.go | 2 +- pkg/verify/certificate_identity_test.go | 2 +- pkg/verify/interface.go | 4 ++-- pkg/verify/sct.go | 2 +- pkg/verify/signature.go | 2 +- pkg/verify/signature_test.go | 4 ++-- pkg/verify/signed_entity.go | 4 ++-- pkg/verify/signed_entity_test.go | 6 +++--- pkg/verify/tlog.go | 4 ++-- pkg/verify/tlog_test.go | 6 +++--- pkg/verify/tsa.go | 2 +- pkg/verify/tsa_test.go | 6 +++--- 27 files changed, 55 insertions(+), 55 deletions(-) diff --git a/.gitignore b/.gitignore index a7653881..5e96d141 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ .idea -/sigstore-verifier +/sigstore-go /tufdata diff --git a/Makefile b/Makefile index 3df70bca..ba24634b 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ .PHONY: build build: - go build ./cmd/sigstore-verifier + go build ./cmd/sigstore-go go build -o conformance ./cmd/conformance .PHONY: test diff --git a/README.md b/README.md index 9bce6689..869ceb6f 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Features: - Support for custom [trusted root](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto) - Basic CLI -For an example of how to use this library, see [cmd/sigstore-verifier](./cmd/sigstore-verifier/main.go), or see the CLI examples below. +For an example of how to use this library, see [cmd/sigstore-go](./cmd/sigstore-go/main.go), or see the CLI examples below. ## Background @@ -25,7 +25,7 @@ Sigstore already has a canonical Go client implementation, [cosign](https://gith ## Installation -You can use the CLI with `go run` as in the below examples, or compile/install the `sigstore-verifier` CLI: +You can use the CLI with `go run` as in the below examples, or compile/install the `sigstore-go` CLI: ```bash $ make install @@ -33,20 +33,20 @@ $ make install ## Examples ```bash -$ go run cmd/sigstore-verifier/main.go -trustedrootJSONpath examples/trusted-root-public-good.json examples/bundle-provenance.json +$ go run cmd/sigstore-go/main.go -trustedrootJSONpath examples/trusted-root-public-good.json examples/bundle-provenance.json Verification successful! ``` ```bash -$ go run cmd/sigstore-verifier/main.go -tufRootURL tuf-repo-cdn.sigstore.dev examples/bundle-provenance.json +$ go run cmd/sigstore-go/main.go -tufRootURL tuf-repo-cdn.sigstore.dev examples/bundle-provenance.json Verification successful! ``` Alternatively, you can install a binary of the CLI like so: ```shell -$ go install ./cmd/sigstore-verifier -$ sigstore-verifier examples/bundle-provenance.json +$ go install ./cmd/sigstore-go +$ sigstore-go examples/bundle-provenance.json ``` ## Testing diff --git a/SUPPORT.md b/SUPPORT.md index 42768029..8f2e98d5 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -6,7 +6,7 @@ This project uses GitHub issues to track bugs and feature requests. Please searc For help or questions about using this project, please use discussions. -`sigstore-verifier` is under active development and maintained by GitHub staff **AND THE COMMUNITY**. We will do our best to respond to support, feature requests, and community questions in a timely manner. +`sigstore-go` is under active development and maintained by GitHub staff **AND THE COMMUNITY**. We will do our best to respond to support, feature requests, and community questions in a timely manner. ## GitHub Support Policy diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go index cdc0699c..fae0b378 100644 --- a/cmd/conformance/main.go +++ b/cmd/conformance/main.go @@ -13,10 +13,10 @@ import ( protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" - "github.com/github/sigstore-verifier/pkg/bundle" - "github.com/github/sigstore-verifier/pkg/root" - "github.com/github/sigstore-verifier/pkg/tuf" - "github.com/github/sigstore-verifier/pkg/verify" + "github.com/github/sigstore-go/pkg/bundle" + "github.com/github/sigstore-go/pkg/root" + "github.com/github/sigstore-go/pkg/tuf" + "github.com/github/sigstore-go/pkg/verify" ) var bundlePath *string diff --git a/cmd/sigstore-verifier/main.go b/cmd/sigstore-verifier/main.go index bd5c8de2..5accea2b 100644 --- a/cmd/sigstore-verifier/main.go +++ b/cmd/sigstore-verifier/main.go @@ -13,10 +13,10 @@ import ( "os" "time" - "github.com/github/sigstore-verifier/pkg/bundle" - "github.com/github/sigstore-verifier/pkg/root" - "github.com/github/sigstore-verifier/pkg/tuf" - "github.com/github/sigstore-verifier/pkg/verify" + "github.com/github/sigstore-go/pkg/bundle" + "github.com/github/sigstore-go/pkg/root" + "github.com/github/sigstore-go/pkg/tuf" + "github.com/github/sigstore-go/pkg/verify" "github.com/sigstore/sigstore/pkg/signature" ) diff --git a/go.mod b/go.mod index a57d6b75..c3b5f82c 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/github/sigstore-verifier +module github.com/github/sigstore-go go 1.21 diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go index ea33bbb4..45678ff5 100644 --- a/pkg/bundle/bundle.go +++ b/pkg/bundle/bundle.go @@ -15,8 +15,8 @@ import ( "golang.org/x/mod/semver" "google.golang.org/protobuf/encoding/protojson" - "github.com/github/sigstore-verifier/pkg/tlog" - "github.com/github/sigstore-verifier/pkg/verify" + "github.com/github/sigstore-go/pkg/tlog" + "github.com/github/sigstore-go/pkg/verify" ) const SigstoreBundleMediaType01 = "application/vnd.dev.sigstore.bundle+json;version=0.1" diff --git a/pkg/bundle/signature_content.go b/pkg/bundle/signature_content.go index e1d9c614..7fc0d9c7 100644 --- a/pkg/bundle/signature_content.go +++ b/pkg/bundle/signature_content.go @@ -4,7 +4,7 @@ import ( "encoding/base64" "encoding/json" - "github.com/github/sigstore-verifier/pkg/verify" + "github.com/github/sigstore-go/pkg/verify" "github.com/in-toto/in-toto-golang/in_toto" "github.com/secure-systems-lab/go-securesystemslib/dsse" ) diff --git a/pkg/bundle/verification_content.go b/pkg/bundle/verification_content.go index 47f1d8aa..810faa51 100644 --- a/pkg/bundle/verification_content.go +++ b/pkg/bundle/verification_content.go @@ -5,8 +5,8 @@ import ( "crypto/x509" "time" - "github.com/github/sigstore-verifier/pkg/root" - "github.com/github/sigstore-verifier/pkg/verify" + "github.com/github/sigstore-go/pkg/root" + "github.com/github/sigstore-go/pkg/verify" ) type CertificateChain struct { diff --git a/pkg/fulcio/certificate/summarize_test.go b/pkg/fulcio/certificate/summarize_test.go index 10ade3b1..4b581f14 100644 --- a/pkg/fulcio/certificate/summarize_test.go +++ b/pkg/fulcio/certificate/summarize_test.go @@ -3,8 +3,8 @@ package certificate_test import ( "testing" - "github.com/github/sigstore-verifier/pkg/fulcio/certificate" - "github.com/github/sigstore-verifier/pkg/testing/data" + "github.com/github/sigstore-go/pkg/fulcio/certificate" + "github.com/github/sigstore-go/pkg/testing/data" "github.com/stretchr/testify/assert" ) diff --git a/pkg/testing/ca/ca.go b/pkg/testing/ca/ca.go index 3151951f..0665f9fc 100644 --- a/pkg/testing/ca/ca.go +++ b/pkg/testing/ca/ca.go @@ -21,10 +21,10 @@ import ( "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" "github.com/digitorus/timestamp" - "github.com/github/sigstore-verifier/pkg/bundle" - "github.com/github/sigstore-verifier/pkg/root" - "github.com/github/sigstore-verifier/pkg/tlog" - "github.com/github/sigstore-verifier/pkg/verify" + "github.com/github/sigstore-go/pkg/bundle" + "github.com/github/sigstore-go/pkg/root" + "github.com/github/sigstore-go/pkg/tlog" + "github.com/github/sigstore-go/pkg/verify" "github.com/go-openapi/runtime" "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/rekor/pkg/generated/models" diff --git a/pkg/testing/data/data.go b/pkg/testing/data/data.go index 4386d753..1803c60c 100644 --- a/pkg/testing/data/data.go +++ b/pkg/testing/data/data.go @@ -6,8 +6,8 @@ import ( "os" "testing" - "github.com/github/sigstore-verifier/pkg/bundle" - "github.com/github/sigstore-verifier/pkg/root" + "github.com/github/sigstore-go/pkg/bundle" + "github.com/github/sigstore-go/pkg/root" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" "github.com/stretchr/testify/assert" "google.golang.org/protobuf/encoding/protojson" diff --git a/pkg/tlog/entry.go b/pkg/tlog/entry.go index 5ad5648f..065caf06 100644 --- a/pkg/tlog/entry.go +++ b/pkg/tlog/entry.go @@ -27,7 +27,7 @@ import ( rekorVerify "github.com/sigstore/rekor/pkg/verify" "github.com/sigstore/sigstore/pkg/signature" - "github.com/github/sigstore-verifier/pkg/root" + "github.com/github/sigstore-go/pkg/root" ) type Entry struct { diff --git a/pkg/verify/certificate.go b/pkg/verify/certificate.go index 3f17ca3e..2ddb28dd 100644 --- a/pkg/verify/certificate.go +++ b/pkg/verify/certificate.go @@ -5,7 +5,7 @@ import ( "errors" "time" - "github.com/github/sigstore-verifier/pkg/root" + "github.com/github/sigstore-go/pkg/root" ) func VerifyLeafCertificate(observerTimestamp time.Time, leafCert x509.Certificate, trustedMaterial root.TrustedMaterial) error { // nolint: revive diff --git a/pkg/verify/certificate_identity.go b/pkg/verify/certificate_identity.go index d27eb206..97449352 100644 --- a/pkg/verify/certificate_identity.go +++ b/pkg/verify/certificate_identity.go @@ -5,7 +5,7 @@ import ( "errors" "regexp" - "github.com/github/sigstore-verifier/pkg/fulcio/certificate" + "github.com/github/sigstore-go/pkg/fulcio/certificate" ) type SubjectAlternativeNameMatcher struct { diff --git a/pkg/verify/certificate_identity_test.go b/pkg/verify/certificate_identity_test.go index effb4f75..11b21775 100644 --- a/pkg/verify/certificate_identity_test.go +++ b/pkg/verify/certificate_identity_test.go @@ -3,7 +3,7 @@ package verify import ( "testing" - "github.com/github/sigstore-verifier/pkg/fulcio/certificate" + "github.com/github/sigstore-go/pkg/fulcio/certificate" "github.com/stretchr/testify/assert" ) diff --git a/pkg/verify/interface.go b/pkg/verify/interface.go index 835149f0..549e47a2 100644 --- a/pkg/verify/interface.go +++ b/pkg/verify/interface.go @@ -5,8 +5,8 @@ import ( "errors" "time" - "github.com/github/sigstore-verifier/pkg/root" - "github.com/github/sigstore-verifier/pkg/tlog" + "github.com/github/sigstore-go/pkg/root" + "github.com/github/sigstore-go/pkg/tlog" "github.com/in-toto/in-toto-golang/in_toto" "github.com/secure-systems-lab/go-securesystemslib/dsse" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" diff --git a/pkg/verify/sct.go b/pkg/verify/sct.go index 9e38498e..fc86f888 100644 --- a/pkg/verify/sct.go +++ b/pkg/verify/sct.go @@ -5,7 +5,7 @@ import ( "encoding/hex" "fmt" - "github.com/github/sigstore-verifier/pkg/root" + "github.com/github/sigstore-go/pkg/root" "github.com/google/certificate-transparency-go/ctutil" ctx509 "github.com/google/certificate-transparency-go/x509" "github.com/google/certificate-transparency-go/x509util" diff --git a/pkg/verify/signature.go b/pkg/verify/signature.go index 4b596f4e..b19fd067 100644 --- a/pkg/verify/signature.go +++ b/pkg/verify/signature.go @@ -10,7 +10,7 @@ import ( "hash" "io" - "github.com/github/sigstore-verifier/pkg/root" + "github.com/github/sigstore-go/pkg/root" "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/sigstore/pkg/signature" sigdsse "github.com/sigstore/sigstore/pkg/signature/dsse" diff --git a/pkg/verify/signature_test.go b/pkg/verify/signature_test.go index 3ee20a6e..4e4b5587 100644 --- a/pkg/verify/signature_test.go +++ b/pkg/verify/signature_test.go @@ -7,8 +7,8 @@ import ( "fmt" "testing" - "github.com/github/sigstore-verifier/pkg/testing/ca" - "github.com/github/sigstore-verifier/pkg/verify" + "github.com/github/sigstore-go/pkg/testing/ca" + "github.com/github/sigstore-go/pkg/verify" "github.com/stretchr/testify/assert" ) diff --git a/pkg/verify/signed_entity.go b/pkg/verify/signed_entity.go index 1c7e17f4..d87d4667 100644 --- a/pkg/verify/signed_entity.go +++ b/pkg/verify/signed_entity.go @@ -6,8 +6,8 @@ import ( "io" "time" - "github.com/github/sigstore-verifier/pkg/fulcio/certificate" - "github.com/github/sigstore-verifier/pkg/root" + "github.com/github/sigstore-go/pkg/fulcio/certificate" + "github.com/github/sigstore-go/pkg/root" "github.com/in-toto/in-toto-golang/in_toto" ) diff --git a/pkg/verify/signed_entity_test.go b/pkg/verify/signed_entity_test.go index 8da23fbd..3ce65364 100644 --- a/pkg/verify/signed_entity_test.go +++ b/pkg/verify/signed_entity_test.go @@ -6,9 +6,9 @@ import ( "encoding/json" - "github.com/github/sigstore-verifier/pkg/fulcio/certificate" - "github.com/github/sigstore-verifier/pkg/testing/data" - v "github.com/github/sigstore-verifier/pkg/verify" + "github.com/github/sigstore-go/pkg/fulcio/certificate" + "github.com/github/sigstore-go/pkg/testing/data" + v "github.com/github/sigstore-go/pkg/verify" "github.com/stretchr/testify/assert" ) diff --git a/pkg/verify/tlog.go b/pkg/verify/tlog.go index 9b5331ef..2c1c5d00 100644 --- a/pkg/verify/tlog.go +++ b/pkg/verify/tlog.go @@ -16,8 +16,8 @@ import ( rekorVerify "github.com/sigstore/rekor/pkg/verify" "github.com/sigstore/sigstore/pkg/signature" - "github.com/github/sigstore-verifier/pkg/root" - "github.com/github/sigstore-verifier/pkg/tlog" + "github.com/github/sigstore-go/pkg/root" + "github.com/github/sigstore-go/pkg/tlog" ) // VerifyArtifactTransparencyLog verifies that the given entity has been logged diff --git a/pkg/verify/tlog_test.go b/pkg/verify/tlog_test.go index 28b77354..1b3789f8 100644 --- a/pkg/verify/tlog_test.go +++ b/pkg/verify/tlog_test.go @@ -4,9 +4,9 @@ import ( "testing" "time" - "github.com/github/sigstore-verifier/pkg/testing/ca" - "github.com/github/sigstore-verifier/pkg/tlog" - "github.com/github/sigstore-verifier/pkg/verify" + "github.com/github/sigstore-go/pkg/testing/ca" + "github.com/github/sigstore-go/pkg/tlog" + "github.com/github/sigstore-go/pkg/verify" "github.com/stretchr/testify/assert" ) diff --git a/pkg/verify/tsa.go b/pkg/verify/tsa.go index 176c92a4..f69272a9 100644 --- a/pkg/verify/tsa.go +++ b/pkg/verify/tsa.go @@ -9,7 +9,7 @@ import ( tsaverification "github.com/sigstore/timestamp-authority/pkg/verification" - "github.com/github/sigstore-verifier/pkg/root" + "github.com/github/sigstore-go/pkg/root" ) // VerifyTimestampAuthority verifies that the given entity has been timestamped diff --git a/pkg/verify/tsa_test.go b/pkg/verify/tsa_test.go index ce61dfb5..41b3afdf 100644 --- a/pkg/verify/tsa_test.go +++ b/pkg/verify/tsa_test.go @@ -4,9 +4,9 @@ import ( "testing" "time" - "github.com/github/sigstore-verifier/pkg/root" - "github.com/github/sigstore-verifier/pkg/testing/ca" - "github.com/github/sigstore-verifier/pkg/verify" + "github.com/github/sigstore-go/pkg/root" + "github.com/github/sigstore-go/pkg/testing/ca" + "github.com/github/sigstore-go/pkg/verify" "github.com/stretchr/testify/assert" ) From 15aa4e7f157bca7f3d8dfe1d3f4b17710feff6b9 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Tue, 26 Sep 2023 14:50:30 -0400 Subject: [PATCH 3/3] Rename source dir --- cmd/{sigstore-verifier => sigstore-go}/main.go | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cmd/{sigstore-verifier => sigstore-go}/main.go (100%) diff --git a/cmd/sigstore-verifier/main.go b/cmd/sigstore-go/main.go similarity index 100% rename from cmd/sigstore-verifier/main.go rename to cmd/sigstore-go/main.go