A JavaScript library for generating and verifying Sigstore signatures. One of the intended uses is to sign and verify npm packages but it can be used to sign and verify any file.
Features
- Support for signing using an OpenID Connect identity - Support for publishing signatures to a [Rekor][1] instance - Support for verifying Sigstore bundles
Prerequisites
- Node.js version ^20.17.0 || >=22.9.0
Installation
`` npm install sigstore `
Compatibility
The following table documents which combinations of Sigstore bundle versions and Rekor types can be verified by different versions of the sigstore library. It also lists which sigstore versions were shipped with different npm CLI versions.
`javascript import { attest, verify } from 'sigstore'; `
$3
Generates a Sigstore signature for the supplied payload. Returns a [Sigstore bundle][2] containing the signature and the verification material necessary to verify the signature.
- payload: The bytes of the artifact to be signed. - options
$3
Generates a Sigstore signature for the supplied in-toto statement. Returns a [Sigstore bundle][2] containing the [DSSE][3]-wrapped statement and signature as well as the verification material necessary to verify the signature.
- payload: The bytes of the statement to be signed. - payloadType: MIME or content type describing the statement to be signed. - options
$3
Verifies the signature in the supplied bundle. Returns a Signer object containing the public key and identity information from the verification.
- bundle: The Sigstore bundle containing the signature to be verified and the verification material necessary to verify the signature. - payload: The bytes of the artifact over which the signature was created. Only necessary when the sign function was used to generate the signature since the Bundle does not contain any information about the artifact which was signed. Not required when the attest function was used to generate the Bundle. - options
Credential Sources
$3
If sigstore-js detects that it is being executed on GitHub Actions, it will use ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variables to request an OIDC token with the correct scope.
Note: the id_token: write permission must be granted to the GitHub Action Job.
See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect for more details.
$3
If the SIGSTORE_ID_TOKEN` environment variable is set, it will use this to authenticate to Fulcio. It is the callers responsibility to make sure that this token has the correct scopes.