diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 0000000..bf5ac34 --- /dev/null +++ b/examples/README.md @@ -0,0 +1,9 @@ +# sigstore-go examples + +These examples show how to use the library. They are not intended to be fully- +supported CLI tools, so stability is not guaranteed. + +- [sigstore-go-signing](./sigstore-go-signing): a CLI for signing artifacts +- [sigstore-go-verification](./sigstore-go-verification/README.md): a CLI for verifying Sigstore bundles +- [custom-certificate-validator](./custom-certificate-validator/README.md): a custom certificate validator +- [oci-image-verification](./oci-image-verification): a CLI for verifying OCI images diff --git a/examples/sigstore-go-verification/README.md b/examples/sigstore-go-verification/README.md new file mode 100644 index 0000000..a74455d --- /dev/null +++ b/examples/sigstore-go-verification/README.md @@ -0,0 +1,25 @@ +# sigstore-go-verification + +This is a CLI for verifying Sigstore bundles. View the help text with `-h` or `--help` for all the options. + +```shell +$ go run . \ + -artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \ + -artifact-digest-algorithm sha512 \ + -expectedIssuer https://token.actions.githubusercontent.com \ + -expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \ + ../bundle-provenance.json +Verification successful! +{ + "version": 20230823, + "statement": { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.2", + "subject": ... + }, + ... +} +``` + +You can also specify a TUF root with something like `-tufRootURL tuf-repo-cdn.sigstore.dev`. + diff --git a/examples/sigstore-go-verification/main.go b/examples/sigstore-go-verification/main.go index d6cb42a..ef965ab 100644 --- a/examples/sigstore-go-verification/main.go +++ b/examples/sigstore-go-verification/main.go @@ -66,7 +66,7 @@ func init() { requireTlog = flag.Bool("requireTlog", true, "Require Artifact Transparency log entry (Rekor)") minBundleVersion = flag.String("minBundleVersion", "", "Minimum acceptable bundle version (e.g. '0.1')") trustedPublicKey = flag.String("publicKey", "", "Path to trusted public key") - trustedrootJSONpath = flag.String("trustedrootJSONpath", "examples/trusted-root-public-good.json", "Path to trustedroot JSON file") + trustedrootJSONpath = flag.String("trustedrootJSONpath", "../trusted-root-public-good.json", "Path to trustedroot JSON file") tufRootURL = flag.String("tufRootURL", "", "URL of TUF root containing trusted root JSON file") tufTrustedRoot = flag.String("tufTrustedRoot", "", "Path to the trusted TUF root.json to bootstrap trust in the remote TUF repository") flag.Parse()