sigstore-oidc
OpenID Connect identity provider for sigstore-rust.
Overview
This crate handles OIDC (OpenID Connect) authentication for Sigstore's keyless signing flow. It supports obtaining identity tokens from various OIDC providers, which are then used to request short-lived signing certificates from Fulcio.
Features
- OAuth 2.0 Authorization Code Flow with PKCE: Secure authentication via browser or out-of-band code entry
- Browser auto-open (requires
browserfeature): Automatically opens the browser for a seamless OAuth flow with local redirect server - Out-of-band fallback: When the browser can't open (or
browserfeature is disabled), prompts the user to manually visit the URL and enter the verification code - Ambient credentials: Automatic detection of CI/CD environment tokens
- Token parsing: OIDC token validation and claim extraction
Cargo Features
rustls(default) - Use rustls for TLS connections.native-tls- Use the platform's native TLS implementation instead of rustls.browser(default) - Enables automatic browser opening during authentication. Adds theopendependency. Without this feature, OOB (out-of-band) mode is used.
Ambient credential detection
Ambient OIDC credentials are detected in CI systems like GitHub: See ambient-id for a list of supported environments, and details for their use.
Usage
use ;
// Opens browser (with `browser` feature) or prompts for manual code entry
let token = get_identity_token.await?;
The sigstore-sign crate provides end-to-end signing examples:
# Sign a blob
# Sign a conda package attestation
The sigstore-verify crate provides verification examples:
# Verify a bundle
# Verify a conda package attestation
Related Crates
Used by:
sigstore-sign- Obtains identity tokens for keyless signingsigstore-fulcio- Uses tokens to request certificates
License
BSD-3-Clause