Description
Implement bindings/go/sigstore as a new Go module providing the ComponentSignatureHandler contract defined in ADR-0008.
Supported features:
- Keyless signing via OIDC token + Fulcio certificate
- Key-based signing/verification (ECDSA P-256/384/521, Ed25519)
- Cosign bundle format (
application/vnd.dev.sigstore.bundle.v0.3+json)
- Configurable endpoints (Fulcio, Rekor v1/v2, TSA) via
SignConfig/VerifyConfig (SigstoreSigningConfiguration/v1alpha1, SigstoreVerificationConfiguration/v1alpha1)
- Offline verification via trusted root JSON or TUF custom mirror
- Identity verification (issuer + SAN, exact or regex) for keyless
signing_config.json endpoint discovery as precedence over explicit config
to be able to test the implementation, we need to also implement the credential resolution layer for the sigstore handler in bindings/go/sigstore/signing/handler/internal/credentials/.
Credential keys:
private_key_pem / private_key_pem_file — ECDSA or Ed25519 private key (SEC1/PKCS8)public_key_pem / public_key_pem_file — ECDSA or Ed25519 public key (PKIX); required for verificationtoken — pre-obtained OIDC identity token for keyless signingtrusted_root_json / trusted_root_json_file — offline trusted root for verification
Credential consumer identities (per ADR-0008):
- Signing:
OIDCIdentityToken/v1alpha1 with name attribute
- Verification:
PEM/v1alpha1 with name attribute
The verification path must not derive a public key from a private key. Public key material must be explicitly provided for verification.
Done Criteria
Description
Implement
bindings/go/sigstoreas a new Go module providing theComponentSignatureHandlercontract defined in ADR-0008.Supported features:
application/vnd.dev.sigstore.bundle.v0.3+json)SignConfig/VerifyConfig(SigstoreSigningConfiguration/v1alpha1,SigstoreVerificationConfiguration/v1alpha1)signing_config.jsonendpoint discovery as precedence over explicit configto be able to test the implementation, we need to also implement the credential resolution layer for the sigstore handler in
bindings/go/sigstore/signing/handler/internal/credentials/.Credential keys:
private_key_pem/private_key_pem_file— ECDSA or Ed25519 private key (SEC1/PKCS8)public_key_pem/public_key_pem_file— ECDSA or Ed25519 public key (PKIX); required for verificationtoken— pre-obtained OIDC identity token for keyless signingtrusted_root_json/trusted_root_json_file— offline trusted root for verificationCredential consumer identities (per ADR-0008):
OIDCIdentityToken/v1alpha1with name attributePEM/v1alpha1with name attributeThe verification path must not derive a public key from a private key. Public key material must be explicitly provided for verification.
Done Criteria
bindings/go/sigstoremodule availableComponentSignatureHandlerinterface