verifier

package
v0.0.0-...-4c851a9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 6, 2026 License: MIT Imports: 15 Imported by: 0

Documentation

Overview

Package verifier provides cryptographic verification of Sigstore attestations.

This package implements the core cryptographic verification logic for Sigstore bundles, including signature verification, certificate validation, and transparency log verification.

Sigstore Bundle Verification

The verifier processes Sigstore bundles containing:

  • DSSE (Dead Simple Signing Envelope) with payload and signatures
  • Fulcio-issued signing certificates with OIDC identity claims
  • Rekor transparency log inclusion proofs

Verification Steps

  1. Parse the Sigstore bundle JSON structure
  2. Decode and parse the X.509 signing certificate
  3. Verify DSSE signature using ECDSA with SHA-256
  4. Validate certificate chain against Fulcio root CA
  5. Verify Rekor transparency log inclusion proof
  6. Extract identity claims from certificate extensions

Basic Usage 

v := verifier.New(verifier.Options{
    SkipRekor: false,  // Enable Rekor verification
})

result, err := v.VerifyBundle(ctx, bundleData)
if err != nil {
    // handle error
}

if result.Verified {
    fmt.Printf("Signed by: %s\n", result.Issuer.Identity)
}

Fulcio Certificate Extensions

The verifier extracts identity information from Fulcio certificate extensions:

  • OIDC Issuer (1.3.6.1.4.1.57264.1.1)
  • GitHub Workflow Repository (1.3.6.1.4.1.57264.1.5)
  • GitHub Workflow Ref (1.3.6.1.4.1.57264.1.6)
  • Source Repository Digest (1.3.6.1.4.1.57264.1.9)

Trusted Roots

By default, the verifier uses embedded Sigstore root certificates. Custom trusted roots can be provided via Options.CustomTrustedRoots.

Package verifier provides cryptographic verification of Sigstore attestations. This implements real signature verification using sigstore-go, including: - DSSE envelope signature verification - Certificate chain validation against Fulcio root - Rekor transparency log inclusion verification - SCT (Signed Certificate Timestamp) validation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Bundle 

type Bundle struct {
	MediaType            string                `json:"mediaType"`
	VerificationMaterial *VerificationMaterial `json:"verificationMaterial,omitempty"`
	DSSEEnvelope         *DSSEEnvelope         `json:"dsseEnvelope,omitempty"`
}

Bundle represents a Sigstore bundle (simplified for parsing).

type Certificate 

type Certificate struct {
	RawBytes string `json:"rawBytes"` // base64 encoded DER
}

Certificate is the signing certificate.

type CertificateInfo 

type CertificateInfo struct {
	Subject     string
	Issuer      string
	NotBefore   time.Time
	NotAfter    time.Time
	Extensions  map[string]string
	Fingerprint string
}

CertificateInfo contains parsed certificate details.

type DSSEEnvelope 

type DSSEEnvelope struct {
	Payload     string      `json:"payload"` // base64 encoded
	PayloadType string      `json:"payloadType"`
	Signatures  []Signature `json:"signatures"`
}

DSSEEnvelope is the DSSE (Dead Simple Signing Envelope).

type InclusionPromise 

type InclusionPromise struct {
	SignedEntryTimestamp string `json:"signedEntryTimestamp"`
}

InclusionPromise is a signed promise of inclusion.

type InclusionProof 

type InclusionProof struct {
	LogIndex   int64
	RootHash   string
	TreeSize   int64
	Hashes     []string
	Checkpoint string
}

InclusionProof proves entry inclusion in the log.

type IssuerInfo 

type IssuerInfo struct {
	Type        string // "github", "google", "email", "oidc"
	Identity    string // Full identity string
	Subject     string // Certificate subject CN
	OIDCIssuer  string // OIDC issuer URL
	Repository  string // Source repository URI
	WorkflowRef string // GitHub workflow reference
	RunID       string // GitHub Actions run ID
	Digest      string // Source repository digest
}

IssuerInfo contains the signing identity information.

type KindVersion 

type KindVersion struct {
	Kind    string `json:"kind"`
	Version string `json:"version"`
}

KindVersion identifies the entry type.

type LogID 

type LogID struct {
	KeyID string `json:"keyId"`
}

LogID identifies the transparency log.

type Options 

type Options struct {
	// SkipRekor skips Rekor transparency log verification (for offline mode).
	SkipRekor bool

	// SkipSCT skips SCT verification.
	SkipSCT bool

	// AllowExpiredCerts allows expired signing certificates.
	AllowExpiredCerts bool

	// CustomTrustedRoots overrides the default Sigstore TUF roots.
	CustomTrustedRoots *TrustedRoots
}

Options configures the verifier.

type RekorEntryInfo 

type RekorEntryInfo struct {
	LogIndex       int64
	LogID          string
	IntegratedTime time.Time
	InclusionProof *InclusionProof
}

RekorEntryInfo contains transparency log entry details.

type Signature 

type Signature struct {
	Sig   string `json:"sig"` // base64 encoded
	KeyID string `json:"keyid,omitempty"`
}

Signature in a DSSE envelope.

type TlogEntry 

type TlogEntry struct {
	LogIndex          *int64              `json:"logIndex,omitempty"`
	LogID             *LogID              `json:"logId,omitempty"`
	IntegratedTime    string              `json:"integratedTime,omitempty"`
	KindVersion       *KindVersion        `json:"kindVersion,omitempty"`
	InclusionPromise  *InclusionPromise   `json:"inclusionPromise,omitempty"`
	InclusionProof    *TlogInclusionProof `json:"inclusionProof,omitempty"`
	CanonicalizedBody string              `json:"canonicalizedBody,omitempty"`
}

TlogEntry is a transparency log entry.

type TlogInclusionProof 

type TlogInclusionProof struct {
	LogIndex   int64    `json:"logIndex"`
	RootHash   string   `json:"rootHash"`
	TreeSize   int64    `json:"treeSize"`
	Hashes     []string `json:"hashes"`
	Checkpoint string   `json:"checkpoint"`
}

TlogInclusionProof proves inclusion in the log.

type TrustedRoots 

type TrustedRoots struct {
	// FulcioCerts are the Fulcio root and intermediate CA certificates.
	FulcioCerts []*x509.Certificate

	// RekorPublicKeys are the Rekor log public keys.
	RekorPublicKeys map[string]crypto.PublicKey

	// CTLogPublicKeys are the CT log public keys for SCT verification.
	CTLogPublicKeys map[string]crypto.PublicKey
}

TrustedRoots contains the trusted CA certificates and keys.

func FetchTrustedRoots 

func FetchTrustedRoots(ctx context.Context) (*TrustedRoots, error)

FetchTrustedRoots fetches the latest trusted roots from Sigstore TUF.

type VerificationMaterial 

type VerificationMaterial struct {
	Certificate *Certificate `json:"certificate,omitempty"`
	TlogEntries []TlogEntry  `json:"tlogEntries,omitempty"`
}

VerificationMaterial contains the certificate and log entries.

type VerificationResult 

type VerificationResult struct {
	// Verified is true if all verification checks passed.
	Verified bool

	// Issuer contains the extracted identity information.
	Issuer *IssuerInfo

	// CertificateInfo contains parsed certificate details.
	CertificateInfo *CertificateInfo

	// RekorEntry contains transparency log entry details.
	RekorEntry *RekorEntryInfo

	// Errors contains any verification errors.
	Errors []string

	// Warnings contains non-fatal issues.
	Warnings []string
}

VerificationResult contains the outcome of bundle verification.

type Verifier 

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier performs cryptographic verification of Sigstore bundles.

func New 

func New(opts Options) *Verifier

New creates a new Sigstore verifier.

func (*Verifier) VerifyBundle 

func (v *Verifier) VerifyBundle(ctx context.Context, bundleData []byte) (*VerificationResult, error)

VerifyBundle verifies a Sigstore bundle and returns the result.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.