vyre-sigstore

Keyless signing and verification for vyre conformance certificates.

cargo add vyre-sigstore

Example

use vyre_sigstore::{sign, verify, SigningKey, VerifyingKey};

let key = SigningKey::from_keyring("ci-signing-key")?;
let cert_bytes = std::fs::read("certificate.cbor")?;

// Sign
let signature = sign(&cert_bytes, &key)?;

// Verify on any machine
let pubkey: VerifyingKey = load_public_key()?;
verify(&cert_bytes, &signature, &pubkey)?;
// If verify returns Err, the cert is either tampered or the signature is stale.

What it is

• Standalone crypto boundary. Operates on serialized certificate bytes + ed25519 keys.
• No dependency on vyre-conform. Downstream auditors verify certificates without pulling the maintainer harness.

What it isn't

• Not a replacement for cosign or the upstream sigstore CLI. Point vyre-sigstore at an existing OIDC-issued key or your own ed25519 keypair.
• Not a certificate builder. vyre-conform::certify() produces the cert; vyre-sigstore signs + verifies it.

MSRV

Rust 1.85.

License

MIT OR Apache-2.0.