sigstore-sign
Sigstore signature creation for sigstore-rust.
Overview
This crate provides high-level APIs for creating Sigstore signatures. It orchestrates the keyless signing flow: OIDC authentication, certificate issuance from Fulcio, signing, transparency log submission to Rekor, and optional timestamping.
Features
- Keyless signing: Sign artifacts using OIDC identity (no long-lived keys)
- Bundle creation: Produces standard Sigstore bundles
- Transparency logging: Automatic submission to Rekor
- Timestamping: Optional RFC 3161 timestamps for long-term validity
- Multiple content types: Support for blobs and DSSE attestations
Signing Flow
- Authenticate with OIDC provider (or use ambient credentials)
- Generate ephemeral key pair
- Request certificate from Fulcio
- Sign the artifact
- Submit to Rekor transparency log
- Optionally request timestamp from TSA
- Package everything into a Sigstore bundle
Usage
use ;
use IdentityToken;
use Sha256Hash;
// Create a signing context for production
let context = production;
// Get an identity token (from OIDC provider)
let token = new;
// Create a signer
let signer = context.signer;
// Sign artifact bytes
let artifact = b"hello world";
let bundle = signer.sign.await?;
// Or sign with a pre-computed digest (for large files)
let digest = from_hex?;
let bundle = signer.sign.await?;
// Sign an in-toto attestation (DSSE envelope)
let subject = new;
let attestation = new
.with_subject
.with_predicate;
let bundle = signer.sign_attestation.await?;
// Write bundle to file
write?;
Configuration
use SigningContext;
// Production environment
let context = production;
// Staging environment
let context = staging;
Related Crates
sigstore-verify- Verify signatures created by this crate
License
BSD-3-Clause