sigstore-verify
| Crates.io | sigstore-verify |
| lib.rs | sigstore-verify |
| version | 0.6.0 |
| created_at | 2025-11-27 11:39:53.562134+00 |
| updated_at | 2025-12-17 09:07:50.522394+00 |
| description | Sigstore signature verification |
| homepage | |
| repository | https://github.com/wolfv/sigstore-rust |
| max_upload_size | |
| id | 1953580 |
| size | 339,520 |
Wolf Vollprecht (wolfv)
documentation
README
sigstore-verify
Sigstore signature verification for sigstore-rust.
Overview
This crate provides high-level APIs for verifying Sigstore signatures. It handles the complete verification flow: bundle parsing, certificate chain validation, signature verification, transparency log verification, and identity policy enforcement.
Features
- Bundle verification: Verify standard Sigstore bundles
- Certificate validation: X.509 chain validation against Fulcio CA
- Transparency log verification: Checkpoint signatures, inclusion proofs, SETs
- Timestamp verification: RFC 3161 timestamp validation
- Identity policies: Verify signer identity claims (issuer, subject, etc.)
Verification Steps
- Parse and validate bundle structure
- Verify certificate chain against trusted root
- Verify signature over artifact
- Verify transparency log entry (checkpoint, inclusion proof, or SET)
- Verify timestamps if present
- Check identity against policy (optional)
Usage
use sigstore_verify::{verify, Verifier, VerificationPolicy};
use sigstore_trust_root::TrustedRoot;
use sigstore_types::{Artifact, Bundle, Sha256Hash};
let root = TrustedRoot::production()?;
let bundle: Bundle = serde_json::from_str(bundle_json)?;
let policy = VerificationPolicy::default();
// Verify with raw artifact bytes
let artifact_bytes = b"hello world";
let result = verify(artifact_bytes.as_slice(), &bundle, &policy, &root)?;
// Or verify with pre-computed SHA-256 digest (useful for large files)
let digest = Sha256Hash::from_hex("b94d27b9...")?;
let result = verify(digest, &bundle, &policy, &root)?;
// Using the Verifier struct directly
let verifier = Verifier::new(&root);
let result = verifier.verify(artifact_bytes.as_slice(), &bundle, &policy)?;
Verification Policies
use sigstore_verify::VerificationPolicy;
// Default policy (verify tlog, timestamps, and certificate chain)
let policy = VerificationPolicy::default();
// Require specific identity and issuer
let policy = VerificationPolicy::default()
.require_identity("user@example.com")
.require_issuer("https://accounts.google.com");
// Skip certain verifications (for testing only)
let policy = VerificationPolicy::default()
.skip_tlog()
.skip_certificate_chain();
Related Crates
sigstore-sign- Create signatures to verify with this crate
License
BSD-3-Clause