Sigstore Save

Common go library shared across sigstore services and clients

Project README

sigstore framework

Fuzzing Status CII Best Practices

sigstore/sigstore is a generic library / framework that is utilized by various other clients and projects including fulcio (webPKI), cosign (container and OCI signing tool) and tektoncd/chains (Supply Chain Security in Tekton Pipelines).

sigstore is a good candidate for anyone wanting to develop go based clients / systems and utilise existing go modules for common sigstore functionality.

This library currently provides:

  • A signing interface (support for ecdsa, ed25519, rsa, DSSE (in-toto))
  • OpenID Connect fulcio client code

The following KMS systems are available:

  • AWS Key Management Service
  • Azure Key Vault
  • HashiCorp Vault
  • Google Cloud Platform Key Management Service

For example code, look at the relevant test code for each main code file.


The fuzzing tests are within


Should you discover any security issues, please refer to sigstores security process

For container signing, you want cosign

Open Source Agenda is not affiliated with "Sigstore" Project. README Source: sigstore/sigstore
Open Issues
Last Commit
2 weeks ago

Open Source Agenda Badge

Open Source Agenda Rating