sigstore-go verification and signing now in beta


sigstore-go verification and signing now in beta

Recent sigstore-go releases include signing support, as well moving both the verification and signing API from unstable to beta.

sigstore-go is used in several open source projects like the SLSA verifier, the GitHub CLI, and Stacklok Minder.

Cosign and sigstore-go are similar in that they are both written in Go, but the main differences are that sigstore-go is not a full-fledged CLI, and that it supports the protobuf bundle format. We’re hopeful that cosign will use sigstore-go in the near future to add protobuf bundle support. If you use cosign’s API to sign things (other than containers), try sigstore-go as a lighter weight and more user friendly alternative.

Give it a try and let us know your feedback! There may be minor interface changes between now and the upcoming v1.0.0 release.