sigstore/sigstore is a generic library / framework that is utilized by various other clients and projects including fulcio (webPKI), cosign (container and OCI signing tool) and tektoncd/chains (Supply Chain Security in Tekton Pipelines).
sigstore is a good candidate for anyone wanting to develop go based clients / systems and utilise existing go modules for common sigstore functionality.
This library currently provides:
The following KMS systems are available:
For example code, look at the relevant test code for each main code file.
The fuzzing tests are within https://github.com/sigstore/sigstore/tree/main/test/fuzz
Should you discover any security issues, please refer to sigstores security process
For container signing, you want cosign