Sigstore 0.5.0
dotnet add package Sigstore --version 0.5.0
NuGet\Install-Package Sigstore -Version 0.5.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Sigstore" Version="0.5.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Sigstore" Version="0.5.0" />
<PackageReference Include="Sigstore" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Sigstore --version 0.5.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: Sigstore, 0.5.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Sigstore@0.5.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Sigstore&version=0.5.0
#tool nuget:?package=Sigstore&version=0.5.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
Sigstore
A .NET library for generating and verifying Sigstore signatures.
Overview
Sigstore is a pure .NET implementation of the Sigstore Client Specification. It supports keyless signing and verification using the Sigstore public good instance (Fulcio, Rekor, RFC 3161 TSA) — no external tools required.
Features
- Keyless signing — ephemeral ECDSA P-256 keys tied to OIDC identities
- Bundle verification — full Sigstore bundle verification (v0.1, v0.2, v0.3)
- Certificate validation — hybrid time model per RFC 5280
- Transparency log — Merkle inclusion proof and checkpoint verification
- RFC 3161 timestamps — timestamp authority integration
- DSSE attestations — in-toto statement signing and verification
- DI-friendly — constructor injection with sensible defaults
- AOT-compatible — fully trimmer and NativeAOT safe
Quick Start
Verification
using Sigstore;
var verifier = new SigstoreVerifier(trustRootProvider);
var policy = new VerificationPolicy
{
CertificateIdentity = CertificateIdentity.ForGitHubActions(
owner: "owner",
repository: "repo")
};
var result = await verifier.VerifyStreamAsync(artifactStream, bundle, policy);
Signing
var signer = new SigstoreSigner(fulcioClient, rekorClient, tsaClient, oidcProvider);
SigstoreBundle bundle = await signer.SignAsync(artifactStream);
string json = bundle.Serialize();
Bundle I/O
SigstoreBundle bundle = SigstoreBundle.Deserialize(json);
string json = bundle.Serialize();
Documentation
License
MIT — see LICENSE.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
net10.0
- NSec.Cryptography (>= 25.4.0)
- Tuf (>= 0.5.0)
NuGet packages (1)
Showing the top 1 NuGet packages that depend on Sigstore:
| Package | Downloads |
|---|---|
|
ActionsToolkit.Attest
This is an unofficial .NET SDK for GitHub Actions workflows (based on @actions/attest). |
GitHub repositories (1)
Showing the top 1 popular GitHub repositories that depend on Sigstore:
| Repository | Stars |
|---|---|
|
microsoft/aspire
Aspire is the tool for code-first, extensible, observable dev and deploy.
|