Source: sigstore-go Section: golang Priority: optional Maintainer: Debian Go Packaging Team Uploaders: Simon Josefsson , Rules-Requires-Root: no Build-Depends: debhelper-compat (= 13), dh-sequence-golang, golang-any, golang-github-digitorus-timestamp-dev, golang-github-go-openapi-runtime-dev, golang-github-go-openapi-strfmt-dev, golang-github-go-openapi-swag-dev, golang-github-google-certificate-transparency-dev, golang-github-in-toto-attestation-dev, golang-github-in-toto-in-toto-golang-dev, golang-github-secure-systems-lab-go-securesystemslib-dev, golang-github-sigstore-protobuf-specs-dev (>> 0.3.2-1~), golang-github-sigstore-rekor-dev (>> 1.3.6-2~), golang-github-sigstore-sigstore-dev (>> 1.8.10-2~), golang-github-sigstore-timestamp-authority-dev, golang-github-stretchr-testify-dev, golang-github-theupdateframework-go-tuf-dev (>> 2.0.2~), golang-golang-x-crypto-dev, golang-golang-x-mod-dev, golang-google-protobuf-dev, Testsuite: autopkgtest-pkg-go Standards-Version: 4.7.0 Vcs-Browser: https://salsa.debian.org/go-team/packages/sigstore-go Vcs-Git: https://salsa.debian.org/go-team/packages/sigstore-go.git Homepage: https://github.com/sigstore/sigstore-go XS-Go-Import-Path: github.com/sigstore/sigstore-go Package: sigstore-go Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, Built-Using: ${misc:Built-Using}, Description: Sigstore signing and verification (program) A client library for Sigstore (https://www.sigstore.dev/), written in Go. Features: . * Signing and verification of Sigstore bundles (https://github.com/sigstore/protobuf- specs/blob/main/protos/sigstore_bundle.proto) compliant with Sigstore Client Spec * Verification of raw Sigstore signatures by creating bundles for them (see conformance tests (/cmd/conformance/main.go) for example) * Signing and verifying with a Timestamp Authority (TSA) * Signing and verifying (offline or online) with Rekor (Artifact Transparency Log) * Structured verification results including certificate metadata * TUF support * Verification support for custom trusted root (https://github.com/sigstore/protobuf- specs/blob/main/protos/sigstore_trustroot.proto) * Basic CLI and examples . For an example of how to use this library, see the verification documentation (/docs/verification.md), the CLI cmd/sigstore-go (/cmd/sigstore-go/main.go). Note that the CLI is to demonstrate how to use the library, and not intended as a fully- featured Sigstore CLI like cosign (https://github.com/sigstore/cosign). . Background . Sigstore already has a canonical Go client implementation, cosign (https://github.com/sigstore/cosign), which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. sigstore-go is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in sigstore/protobuf-specs (https://github.com/sigstore/protobuf-specs). sigstore-go attempts to minimize the dependency tree for simple signing and verification tasks, omitting KMS support and container image verification. . This package contains the binaries. Package: golang-github-sigstore-sigstore-go-dev Architecture: all Multi-Arch: foreign Depends: golang-github-digitorus-pkcs7-dev, golang-github-digitorus-timestamp-dev, golang-github-go-openapi-runtime-dev, golang-github-go-openapi-strfmt-dev, golang-github-go-openapi-swag-dev, golang-github-google-certificate-transparency-dev, golang-github-in-toto-attestation-dev, golang-github-in-toto-in-toto-golang-dev, golang-github-secure-systems-lab-go-securesystemslib-dev, golang-github-sigstore-protobuf-specs-dev (>> 0.3.2-1~), golang-github-sigstore-rekor-dev (>> 1.3.6-2~), golang-github-sigstore-sigstore-dev (>> 1.8.10-2~), golang-github-sigstore-timestamp-authority-dev, golang-github-stretchr-testify-dev, golang-github-theupdateframework-go-tuf-dev (>> 2.0.2~), golang-golang-x-crypto-dev, golang-golang-x-mod-dev, golang-google-protobuf-dev, ${misc:Depends}, Description: Sigstore signing and verification (Go library) A client library for Sigstore (https://www.sigstore.dev/), written in Go. Features: . * Signing and verification of Sigstore bundles (https://github.com/sigstore/protobuf- specs/blob/main/protos/sigstore_bundle.proto) compliant with Sigstore Client Spec * Verification of raw Sigstore signatures by creating bundles for them (see conformance tests (/cmd/conformance/main.go) for example) * Signing and verifying with a Timestamp Authority (TSA) * Signing and verifying (offline or online) with Rekor (Artifact Transparency Log) * Structured verification results including certificate metadata * TUF support * Verification support for custom trusted root (https://github.com/sigstore/protobuf- specs/blob/main/protos/sigstore_trustroot.proto) * Basic CLI and examples . For an example of how to use this library, see the verification documentation (/docs/verification.md), the CLI cmd/sigstore-go (/cmd/sigstore-go/main.go). Note that the CLI is to demonstrate how to use the library, and not intended as a fully- featured Sigstore CLI like cosign (https://github.com/sigstore/cosign). . Background . Sigstore already has a canonical Go client implementation, cosign (https://github.com/sigstore/cosign), which was developed with a focus on container image signing/verification. It has a rich CLI and a long legacy of features and development. sigstore-go is a more minimal and friendly API for integrating Go code with Sigstore, with a focus on the newly specified data structures in sigstore/protobuf-specs (https://github.com/sigstore/protobuf-specs). sigstore-go attempts to minimize the dependency tree for simple signing and verification tasks, omitting KMS support and container image verification. . This package contains the Go library.