sigstore -- Sigstore signing and verification for OCaml#
Native OCaml implementation of the Sigstore protocol for keyless code signing. Sigstore binds cryptographic signatures to OpenID Connect identities without requiring long-lived keys: an ephemeral key pair is generated, a short-lived certificate is obtained from Fulcio, and the signature is recorded in the Rekor transparency log.
Installation#
Install with opam:
$ opam install sigstore
If opam cannot find the package, it may not yet be released in the public
opam-repository. Add the overlay repository, then install it:
$ opam repo add samoht https://tangled.org/gazagnaire.org/opam-overlay.git
$ opam update
$ opam install sigstore
Quick Start#
let run () =
Eio_main.run @@ fun env ->
Eio.Switch.run @@ fun sw ->
let session = Requests.v ~sw env in
let now = Eio.Time.now env#clock |> Ptime.of_float_s |> Option.get in
(* Sign an artifact. *)
match
Sigstore.sign session ~now ~id_token:"eyJ..."
~artifact:(Sigstore.Artifact.of_string "hello world")
with
| Error e -> Fmt.epr "Sign failed: %a@." Sigstore.pp_error e
| Ok bundle -> (
(* Verify. *)
match Sigstore.verify session ~now bundle with
| Ok identity -> Fmt.pr "Signed by %s@." identity.email
| Error e -> Fmt.epr "Verification failed: %a@." Sigstore.pp_error e)
API Overview#
Sigstore.sign-- keyless signing via Fulcio + Rekor (generates ephemeral key, obtains certificate, records in transparency log)Sigstore.verify-- online verification against RekorSigstore.verify_offline-- offline verification against trust anchorsSigstore.Artifact-- artifacts from raw bytes or pre-computed digestsSigstore.Fulcio-- request ephemeral signing certificatesSigstore.Rekor-- create and retrieve transparency log entriesSigstore.Oidc-- OIDC provider discovery and token parsingSigstore.bundle_to_json/bundle_of_json-- Sigstore bundle serialization
Configuration#
Use Sigstore.production for the public Sigstore infrastructure or
Sigstore.staging for testing. Custom endpoints can be provided via the
config type.
License#
MIT