README.md

sigstore-java

A sigstore java client for interacting with sigstore infrastructure

⚠️ This project is not ready for general-purpose use! ⚠️

This project requires a minimum of Java 11 and is current in pre-release, apis and dependencies are likely to change

You can files issues directly on this project or if you have any questions message us on the sigstore#java slack channel

Usage

Keyless Signing And Verification

Signing

Path testArtifact = Paths.get("path/to/my/file.jar")

var signer = KeylessSigner.builder().sigstorePublicDefaults().build();
Bundle result = signer.sign(testArtifact);

// sigstore bundle format (serialized as <artifact>.sigstore.json)
String bundleJson = result.toJson();

Verification

Read bundle

Path bundleFile = // java.nio.Path to a .sigstore.json signature bundle file
Bundle bundle = Bundle.from(Files.newBufferedReader(bundleFile, StandardCharsets.UTF_8));

Configure verification options

// add certificate policy to verify the identity of the signer
VerificationOptions verificationOptions =
    VerificationOptions.builder()
        .addCertificateIdentities(
            CertificateIdentity.builder()
                .issuer("https://accounts.example.com"))
                .subjectAlternativeName("test@example.com")
                .build())
        .build();

Do verification

Path artifact = // java.nio.Path to artifact file
try {
  var verifier = new KeylessVerifier.Builder().sigstorePublicDefaults().build();
  verifier.verify(artifact, bundle, verificationOptions);
  // verification passed!
} catch (KeylessVerificationException e) {
  // verification failed
}

Exploring the API

You could browse Javadoc at https://javadoc.io/doc/dev.sigstore/sigstore-java.

To build javadoc from the sources, use the following command:

$ ./gradlew javadoc
$ "my-favorite-browser" ./sigstore-java/build/docs/javadoc/index.html