Resolving merge conflicts.

Signed-off-by: hayleycd <[email protected]>
sigstore · Nov 8, 2024 · 8b1ea18 · 8b1ea18
2 parents 97f80e2 + cb7a54b
commit 8b1ea18
Show file tree

Hide file tree

Showing 7 changed files with 416 additions and 5 deletions.
diff --git a/content/en/about/bundle.md b/content/en/about/bundle.md
diff --git a/content/en/cosign/system_config/custom_components.md b/content/en/cosign/system_config/custom_components.md
@@ -9,13 +9,15 @@ This page contains instructions on how to configure Cosign to work with alternat
 
 Verifying keyless signatures require verifying signatures from Rekor, material (SCTs) from the CT log, and certificates that chain up to Fulcio. The public keys and root certificates for these components are distributed through [TUF](https://theupdateframework.io/) repositories. By default, Cosign uses a TUF client that has an initial trust in an embedded root and then fetches updated verification material from our public-good-instance TUF repository created on the [root-signing](https://github.com/sigstore/root-signing) GitHub repository. 
 
-There are three options to configure Cosign to verify against custom components:
+There are several options to configure Cosign to verify against custom components:
 
 1. Use [scaffolding](https://github.com/sigstore/scaffolding) to create a custom Sigstore stack. This provides a TUF root distributing verification material for the custom components, and pre-configured Cosign with the trust root.
 
 2. Create a TUF repository yourself, using [go-tuf](https://github.com/theupdateframework/go-tuf) or [python-tuf](https://github.com/theupdateframework/python-tuf)'s repository writers. Instructions for how to configure this root is in this [blog post](https://blog.sigstore.dev/sigstore-bring-your-own-stuf-with-tuf-40febfd2badd). This [script](https://gist.github.com/asraa/947f1a38afd03af57c7b71d893c36af0) can be used to create a TUF repository from the custom Fulcio, Rekor, and CT log verification material.
 
-3. As a last resort, you may also use the following environment variables to configure custom keys out of band.
+3. TUF is recommended because it makes it easy to distribute up-to-date key material to clients. However, if you aren't using TUF, you can manually assemble trusted key material into a trusted root file with `cosign trusted-root create ...`. You can then supply that trusted root file to `cosign verify` commands with `--trusted-root`.
+
+4. As a last resort, you may also use the following environment variables to configure custom keys out of band.
 
 | Env Variable      | Description |
 | ---------- | ------------------- |

diff --git a/content/en/cosign/verifying/verify.md b/content/en/cosign/verifying/verify.md
@@ -248,6 +248,12 @@ You can override the public good instance CA using the environment variable `SIG
 export SIGSTORE_ROOT_FILE="/home/jdoe/myrootCA.pem"
 ```
 
+## New bundle format coming soon
+
+There's a new bundle format using [bundle protobuf-specs](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) that has a number of advantages over the previous bundle format: it supports offline verification, and includes additional information (like signed timestamps and attestations) in a single file.
+
+You can take existing signed material and make a new protobuf bundle with `cosign bundle create ...`.
+
 ## Experimental Features
 
 ### Verify a signature was added to the transparency log

diff --git a/content/en/language_clients/go/_index.html b/content/en/language_clients/go/_index.html
@@ -0,0 +1,11 @@
+---
+type: docs
+title: "Go"
+description: "Go Language Client"
+lead: "Go Language Client"
+date: 2024-10-06T08:49:15+00:00
+lastmod: 2024-10-06T08:49:15+00:00
+draft: false
+images: []
+weight: 60
+---
diff --git a/content/en/language_clients/go/overview.md b/content/en/language_clients/go/overview.md
@@ -0,0 +1,75 @@
+---
+type: docs
+category: Go
+title: Go Client Overview
+weight: 5
+---
+
+[`sigstore-go`](https://pkg.go.dev/github.com/sigstore/sigstore-go) is the Go language client library for Sigstore.
+
+`sigstore-go` is intended as a minimal dependency library for signing and verifying. It's not intended to replace [cosign](../../cosign/signing/overview.md), which provides a CLI with many features for interacting with Sigstore. Over time, `cosign` will use `sigstore-go` for verification.
+
+- Friendly API for integrating Go code with Sigstore
+- Smaller dependency tree
+- Focuses on newly specified data structures in [sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs)
+- Perfect for simple signing and verififcation tasks
+
+`sigstore-go` is currently in beta.
+
+## Features
+
+- Signing and verification of [Sigstore bundles](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto)
+- Verification of raw Sigstore signatures
+- Signing and verifying with a Timestamp Authority (TSA)
+- Online and offline signing and verifying with Rekor (Artifact Transparency Log)
+- Structured verification results including certificate metadata
+- TUF support
+- Verification support for custom [trusted root](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto)
+- Basic CLI
+
+## Installation
+
+### Main CLI installation
+
+`sigstore-go` requires Go 1.21 or greater. The package is tested with Go 1.23.
+
+To compile/install the CLI, clone [`sigstore-go`](https://github.com/sigstore/sigstore-go) and run.
+
+```console
+make install
+```
+
+Alternatively, you can use `go run cmd/sigstore-go/main.go` to access the CLI, as show in the [example](#cli-example).
+
+## Example
+
+### CLI example
+
+The following is an example of using the sigstore-go CLI to verify a signature.
+
+```console
+go run cmd/sigstore-go/main.go \
+  -artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
+  -artifact-digest-algorithm sha512 \
+  -expectedIssuer https://token.actions.githubusercontent.com \
+  -expectedSAN https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main \
+  examples/bundle-provenance.json
+Verification successful!
+{
+   "version": 20230823,
+   "statement": {
+      "_type": "https://in-toto.io/Statement/v0.1",
+      "predicateType": "https://slsa.dev/provenance/v0.2",
+      "subject": ...
+    },
+    ...
+}
+```
+
+### Additional examples
+
+Additional examples are available in the [project documentation](https://github.com/sigstore/sigstore-go#sigstore-go).
+
+- [Signing example](https://github.com/sigstore/sigstore-go/blob/main/docs/signing.md#examples)
+- [Verifying example](https://github.com/sigstore/sigstore-go/blob/main/docs/verification.md#verification-using-sigstore-go)
+- [OCI image verifying example](https://github.com/sigstore/sigstore-go/blob/main/docs/oci-image-verification.md#example-of-oci-image-verification-using-sigstore-go)
diff --git a/content/en/language_clients/language_client_overview.md b/content/en/language_clients/language_client_overview.md
@@ -9,7 +9,7 @@ Sigstore uses [cosign](../../cosign/signing/overview) to sign and verify package
 
 Sigstore has clients for the following language ecosystems:
 
-- [Go](https://github.com/sigstore/sigstore-go#sigstore-go)
+- [Go](../go/overview)
 - [Java](https://github.com/sigstore/sigstore-java#sigstore-java)
 - [JavaScript](../javascript/overview)
 - [Python](../python/overview)

diff --git a/content/en/language_clients/python/overview.md b/content/en/language_clients/python/overview.md
@@ -26,7 +26,7 @@ Full project documentation can be found in the [sigstore-python](https://github.
 python -m pip install sigstore
 ```
 
-Optionally, you can install `sigstore` and all its dependencies with [hash-checking mode](https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode) enabled. Learn more about it in our [project documentation](https://github.com/sigstore/sigstore-python#installation)
+Optionally, you can install `sigstore` and all its dependencies with [hash-checking mode](https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode) enabled. Learn more about it in the [project documentation](https://github.com/sigstore/sigstore-python#installation).
 
 ### GitHub Action Installation
 
@@ -48,14 +48,16 @@ jobs:
 
 ### Signing example
 
-For this example, we will sign a a file named `foo.txt`. [`sigstore`](https://pypi.org/project/sigstore/) will use OpenID Connect (OIDC) to veryify your email address.
+For this example, we will sign a a file named `foo.txt`. [`sigstore`](https://pypi.org/project/sigstore/) will use OpenID Connect (OIDC) to verify your email address.
 
 Use the following command to sign `foo.txt`:
 
 ```console
 sigstore sign foo.txt
 ```
 
+This will produce `foo.txt.sigstore.json` for subsequent verification.
+
 ### Verifying example
 
 To verify the signature on `foo.txt` run the following command: