sigstore-go verification and signing now in beta
Recent sigstore-go releases include signing support, as well moving both the verification and signing API from unstable to beta.
sigstore-go is used in several open source projects like the SLSA verifier, the GitHub CLI, and Stacklok Minder.
Cosign and sigstore-go are similar in that they are both written in Go, but the main differences are that sigstore-go is not a full-fledged CLI, and that it supports the protobuf bundle format. We’re hopeful that cosign will use sigstore-go in the near future to add protobuf bundle support. If you use cosign’s API to sign things (other than containers), try sigstore-go as a lighter weight and more user friendly alternative.
Give it a try and let us know your feedback! There may be minor interface changes between now and the upcoming v1.0.0 release.