sigstore-verification 0.1.6

Sigstore, Cosign, and SLSA attestation verification library
docs.rs failed to build sigstore-verification-0.1.6
Please check the build logs for more information.
See Builds for ideas on how to fix a failed build, or Metadata for how to configure docs.rs builds.
If you believe this is docs.rs' fault, open an issue.
Visit the last successful build: sigstore-verification-0.1.7

Sigstore Verification

A Rust library for verifying software artifact signatures and attestations using Sigstore, Cosign, and SLSA standards.

Features

  • GitHub Artifact Attestations: Verify artifacts built by GitHub Actions workflows
  • Cosign Signatures: Support for both keyless (Fulcio) and key-based verification
  • SLSA Provenance: Verify SLSA provenance with configurable security levels
  • Rekor Transparency Log: Full support for verifying inclusion proofs and signed entry timestamps
  • Modular Architecture: Extensible design with traits for sources and verifiers
  • Configurable TLS: Support for multiple TLS backends (native-tls, rustls)

TLS Configuration

This library supports multiple TLS backends through Cargo features:

[dependencies]
# Default: uses native-tls (OpenSSL/Secure Transport)
sigstore-verification = "0.1.2"

# Use rustls instead
sigstore-verification = { version = "0.1.2", default-features = false, features = ["rustls"] }

# Use rustls with native root certificates
sigstore-verification = { version = "0.1.2", default-features = false, features = ["rustls-native-roots"] }

Available TLS Backends

  • native-tls (default): Uses OpenSSL on Linux, Secure Transport on macOS, SChannel on Windows
  • rustls: Pure Rust TLS implementation with webpki-roots
  • rustls-native-roots: Pure Rust TLS implementation with system root certificates

Architecture

Sources

  • GitHubSource: Fetch attestations from GitHub's API
  • FileSource: Load attestations from local files
  • OciSource: (Planned) Fetch from OCI registries

Verifiers

  • CosignVerifier: Cosign-compatible signature verification
  • SlsaVerifier: SLSA provenance verification
  • GitHubVerifier: GitHub-specific attestation verification

Usage

GitHub Attestations

use sigstore_verification::verify_github_attestation;

let verified = verify_github_attestation(
    &artifact_path,
    "owner",
    "repo",
    Some(token),
    Some("release.yml"),
).await?;

Cosign Verification

Keyless (Fulcio)

use sigstore_verification::verify_cosign_signature;

let verified = verify_cosign_signature(
    &artifact_path,
    &bundle_path,
).await?;

With Public Key

use sigstore_verification::verify_cosign_signature_with_key;

let verified = verify_cosign_signature_with_key(
    &artifact_path,
    &signature_path,
    &public_key_path,
).await?;

SLSA Provenance

use sigstore_verification::verify_slsa_provenance;

let verified = verify_slsa_provenance(
    &artifact_path,
    &provenance_path,
    2, // Minimum SLSA level
).await?;

Integration with mise

This crate is used by mise's aqua backend to provide native Rust verification of software artifacts. It completely replaces external CLI tools like cosign, slsa-verifier, and gh attestation verify.

Benefits

  • No external dependencies on CLI tools
  • Faster verification (no process spawning)
  • Better error handling and debugging
  • Consistent behavior across platforms

Security Features

  • X.509 Certificate Validation: Verifies Fulcio-issued certificates
  • DSSE Signature Verification: Supports P-256, P-384, and Ed25519 algorithms
  • Merkle Tree Verification: RFC 6962 compliant inclusion proof verification
  • Signed Entry Timestamps: Verifies Rekor transparency log timestamps
  • Trust Root Integration: Uses Sigstore's official trust root

Dependencies

  • sigstore: Official Sigstore Rust library
  • p256, p384, ed25519-dalek: Cryptographic primitives
  • x509-parser: X.509 certificate parsing
  • reqwest: HTTP client for API calls
  • tokio: Async runtime

License

MIT