Sigstore signing and verification for OCaml
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add missing READMEs; expand short ones

New READMEs for: ocaml-auth, ocaml-cose, ocaml-http, ocaml-osv,
ocaml-rego, ocaml-scitt, ocaml-sigstore, ocaml-vec3.

Expanded: ca-certs (7→40 lines), osrelease (8→45 lines).

Each includes: synopsis, installation, usage example, API overview,
and license. Skipped ocaml-cel and ocaml-chor (no code yet).

+54
+54
README.md
··· 1 + ## sigstore -- Sigstore signing and verification for OCaml 2 + 3 + Native OCaml implementation of the [Sigstore](https://www.sigstore.dev/) 4 + protocol for keyless code signing. Sigstore binds cryptographic signatures to 5 + OpenID Connect identities without requiring long-lived keys: an ephemeral key 6 + pair is generated, a short-lived certificate is obtained from Fulcio, and the 7 + signature is recorded in the Rekor transparency log. 8 + 9 + ## Installation 10 + 11 + ``` 12 + opam install sigstore 13 + ``` 14 + 15 + ## Quick Start 16 + 17 + ```ocaml 18 + Eio_main.run @@ fun env -> 19 + Eio.Switch.run @@ fun sw -> 20 + let session = Requests.v ~sw env in 21 + let now = Eio.Time.now env#clock |> Ptime.of_float_s |> Option.get in 22 + 23 + (* Sign an artifact *) 24 + let bundle = 25 + Sigstore.sign session ~now ~id_token:"eyJ..." 26 + ~artifact:(Sigstore.Artifact.of_string "hello world") 27 + in 28 + 29 + (* Verify *) 30 + match Sigstore.verify session ~now bundle with 31 + | Ok identity -> Format.printf "Signed by %s\n" identity.email 32 + | Error e -> Format.eprintf "Verification failed: %a\n" Sigstore.pp_error e 33 + ``` 34 + 35 + ## API Overview 36 + 37 + - `Sigstore.sign` -- keyless signing via Fulcio + Rekor (generates ephemeral key, obtains certificate, records in transparency log) 38 + - `Sigstore.verify` -- online verification against Rekor 39 + - `Sigstore.verify_offline` -- offline verification against trust anchors 40 + - `Sigstore.Artifact` -- artifacts from raw bytes or pre-computed digests 41 + - `Sigstore.Fulcio` -- request ephemeral signing certificates 42 + - `Sigstore.Rekor` -- create and retrieve transparency log entries 43 + - `Sigstore.Oidc` -- OIDC provider discovery and token parsing 44 + - `Sigstore.bundle_to_json` / `bundle_of_json` -- Sigstore bundle serialization 45 + 46 + ## Configuration 47 + 48 + Use `Sigstore.production` for the public Sigstore infrastructure or 49 + `Sigstore.staging` for testing. Custom endpoints can be provided via the 50 + `config` type. 51 + 52 + ## License 53 + 54 + MIT