A sigstore java client for interacting with sigstore infrastructure
This project requires a minimum of Java 11 and is current in pre-release, apis and dependencies are likely to change
You can files issues directly on this project or if you have any questions message us on the sigstore#java slack channel
Path testArtifact = Paths.get("path/to/my/file.jar")
var signer = KeylessSigner.builder().sigstorePublicDefaults().build();
Bundle result = signer.sign(testArtifact);
// sigstore bundle format (serialized as <artifact>.sigstore.json)
String bundleJson = result.toJson();
Path bundleFile = // java.nio.Path to a .sigstore.json signature bundle file
Bundle bundle = Bundle.from(Files.newBufferedReader(bundleFile, StandardCharsets.UTF_8));
// add certificate policy to verify the identity of the signer
VerificationOptions verificationOptions =
VerificationOptions.builder()
.addCertificateIdentities(
CertificateIdentity.builder()
.issuer("https://accounts.example.com"))
.subjectAlternativeName("[email protected]")
.build())
.build();
Path artifact = // java.nio.Path to artifact file
try {
var verifier = new KeylessVerifier.Builder().sigstorePublicDefaults().build();
verifier.verify(artifact, bundle, verificationOptions);
// verification passed!
} catch (KeylessVerificationException e) {
// verification failed
}
You could browse Javadoc at https://javadoc.io/doc/dev.sigstore/sigstore-java.
To build javadoc from the sources, use the following command:
$ ./gradlew javadoc
$ "my-favorite-browser" ./sigstore-java/build/docs/javadoc/index.html