sigstore-verification
| Crates.io | sigstore-verification |
| lib.rs | sigstore-verification |
| version | 0.1.7 |
| created_at | 2025-09-19 03:13:44.75242+00 |
| updated_at | 2025-09-20 14:54:16.602941+00 |
| description | Sigstore, Cosign, and SLSA attestation verification library |
| homepage | https://github.com/jdx/sigstore-verification |
| repository | https://github.com/jdx/sigstore-verification |
| max_upload_size | |
| id | 1845725 |
| size | 227,860 |
(jdx)
documentation
https://docs.rs/sigstore-verification
README
Sigstore Verification
A Rust library for verifying software artifact signatures and attestations using Sigstore, Cosign, and SLSA standards.
Features
- GitHub Artifact Attestations: Verify artifacts built by GitHub Actions workflows
- Cosign Signatures: Support for both keyless (Fulcio) and key-based verification
- SLSA Provenance: Verify SLSA provenance with configurable security levels
- Rekor Transparency Log: Full support for verifying inclusion proofs and signed entry timestamps
- Modular Architecture: Extensible design with traits for sources and verifiers
- Configurable TLS: Support for multiple TLS backends (native-tls, rustls)
TLS Configuration
This library supports multiple TLS backends through Cargo features:
[dependencies]
# Default: uses native-tls (OpenSSL/Secure Transport)
sigstore-verification = "0.1.2"
# Use rustls instead
sigstore-verification = { version = "0.1.2", default-features = false, features = ["rustls"] }
# Use rustls with native root certificates
sigstore-verification = { version = "0.1.2", default-features = false, features = ["rustls-native-roots"] }
Available TLS Backends
native-tls(default): Uses OpenSSL on Linux, Secure Transport on macOS, SChannel on Windowsrustls: Pure Rust TLS implementation with webpki-rootsrustls-native-roots: Pure Rust TLS implementation with system root certificates
Architecture
Sources
GitHubSource: Fetch attestations from GitHub's APIFileSource: Load attestations from local filesOciSource: (Planned) Fetch from OCI registries
Verifiers
CosignVerifier: Cosign-compatible signature verificationSlsaVerifier: SLSA provenance verificationGitHubVerifier: GitHub-specific attestation verification
Usage
GitHub Attestations
use sigstore_verification::verify_github_attestation;
let verified = verify_github_attestation(
&artifact_path,
"owner",
"repo",
Some(token),
Some("release.yml"),
).await?;
Cosign Verification
Keyless (Fulcio)
use sigstore_verification::verify_cosign_signature;
let verified = verify_cosign_signature(
&artifact_path,
&bundle_path,
).await?;
With Public Key
use sigstore_verification::verify_cosign_signature_with_key;
let verified = verify_cosign_signature_with_key(
&artifact_path,
&signature_path,
&public_key_path,
).await?;
SLSA Provenance
use sigstore_verification::verify_slsa_provenance;
let verified = verify_slsa_provenance(
&artifact_path,
&provenance_path,
2, // Minimum SLSA level
).await?;
Integration with mise
This crate is used by mise's aqua backend to provide native Rust verification of software artifacts. It completely replaces external CLI tools like cosign, slsa-verifier, and gh attestation verify.
Benefits
- No external dependencies on CLI tools
- Faster verification (no process spawning)
- Better error handling and debugging
- Consistent behavior across platforms
Security Features
- X.509 Certificate Validation: Verifies Fulcio-issued certificates
- DSSE Signature Verification: Supports P-256, P-384, and Ed25519 algorithms
- Merkle Tree Verification: RFC 6962 compliant inclusion proof verification
- Signed Entry Timestamps: Verifies Rekor transparency log timestamps
- Trust Root Integration: Uses Sigstore's official trust root
Dependencies
sigstore: Official Sigstore Rust libraryp256,p384,ed25519-dalek: Cryptographic primitivesx509-parser: X.509 certificate parsingreqwest: HTTP client for API callstokio: Async runtime
License
MIT