sigstore-verification 0.1.1

Sigstore, Cosign, and SLSA attestation verification library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

# Sigstore Verification

A Rust library for verifying software artifact signatures and attestations using Sigstore, Cosign, and SLSA standards.

## Features

- **GitHub Artifact Attestations**: Verify artifacts built by GitHub Actions workflows
- **Cosign Signatures**: Support for both keyless (Fulcio) and key-based verification
- **SLSA Provenance**: Verify SLSA provenance with configurable security levels
- **Rekor Transparency Log**: Full support for verifying inclusion proofs and signed entry timestamps
- **Modular Architecture**: Extensible design with traits for sources and verifiers

## Architecture

### Sources
- `GitHubSource`: Fetch attestations from GitHub's API
- `FileSource`: Load attestations from local files
- `OciSource`: (Planned) Fetch from OCI registries

### Verifiers
- `CosignVerifier`: Cosign-compatible signature verification
- `SlsaVerifier`: SLSA provenance verification
- `GitHubVerifier`: GitHub-specific attestation verification

## Usage

### GitHub Attestations
```rust
use sigstore_verification::verify_github_attestation;

let verified = verify_github_attestation(
    &artifact_path,
    "owner",
    "repo",
    Some(token),
    Some("release.yml"),
).await?;
```

### Cosign Verification

#### Keyless (Fulcio)
```rust
use sigstore_verification::verify_cosign_signature;

let verified = verify_cosign_signature(
    &artifact_path,
    &bundle_path,
).await?;
```

#### With Public Key
```rust
use sigstore_verification::verify_cosign_signature_with_key;

let verified = verify_cosign_signature_with_key(
    &artifact_path,
    &signature_path,
    &public_key_path,
).await?;
```

### SLSA Provenance
```rust
use sigstore_verification::verify_slsa_provenance;

let verified = verify_slsa_provenance(
    &artifact_path,
    &provenance_path,
    2, // Minimum SLSA level
).await?;
```

## Integration with mise

This crate is used by mise's aqua backend to provide native Rust verification of software artifacts. It completely replaces external CLI tools like `cosign`, `slsa-verifier`, and `gh attestation verify`.

### Benefits
- No external dependencies on CLI tools
- Faster verification (no process spawning)
- Better error handling and debugging
- Consistent behavior across platforms

## Security Features

- **X.509 Certificate Validation**: Verifies Fulcio-issued certificates
- **DSSE Signature Verification**: Supports P-256, P-384, and Ed25519 algorithms
- **Merkle Tree Verification**: RFC 6962 compliant inclusion proof verification
- **Signed Entry Timestamps**: Verifies Rekor transparency log timestamps
- **Trust Root Integration**: Uses Sigstore's official trust root

## Dependencies

- `sigstore`: Official Sigstore Rust library
- `p256`, `p384`, `ed25519-dalek`: Cryptographic primitives
- `x509-parser`: X.509 certificate parsing
- `reqwest`: HTTP client for API calls
- `tokio`: Async runtime

## License

MIT