### Execute Setup Script and Verify Service Source: https://github.com/sigstore/gitsign/blob/main/cmd/gitsign-credential-cache/README.md These commands demonstrate how to make the setup script executable, run it to install the gitsign credential cache service, and then check if the service is running using launchctl. ```shell chmod +x /tmp/gitsign-credential-cache.sh echo "Running the script to create the launchctl service..." /tmp/gitsign-credential-cache.sh ``` ```shell $ launchctl list | grep -i "my.gitsign" 2398 0 my.gitsign-credential-cache ``` -------------------------------- ### Enable and start gitsign-credential-cache socket service Source: https://github.com/sigstore/gitsign/blob/main/cmd/gitsign-credential-cache/README.md Enables the gitsign-credential-cache socket service to start on boot and starts it immediately. ```sh systemctl --user enable --now gitsign-credential-cache.socket ``` -------------------------------- ### Install Gitsign with Go Source: https://github.com/sigstore/gitsign/blob/main/README.md Install Gitsign using the Go toolchain. This command fetches the latest version. ```sh go install github.com/sigstore/gitsign@latest ``` -------------------------------- ### Install Gitsign with Homebrew Source: https://github.com/sigstore/gitsign/blob/main/README.md Use this command to install Gitsign if you are using Homebrew for package management. ```sh brew install gitsign ``` -------------------------------- ### Install systemd user units for all users Source: https://github.com/sigstore/gitsign/blob/main/cmd/gitsign-credential-cache/README.md Installs the gitsign-credential-cache socket and service units into the system-wide systemd configuration directory and reloads the systemd daemon. ```sh sudo install -m 0660 -D -t /etc/systemd/user/ ./contrib/gitsign-credential-cache.{socket,service} sudo systemctl daemon-reload ``` -------------------------------- ### Start gitsign-credential-cache and set environment variable Source: https://github.com/sigstore/gitsign/blob/main/cmd/gitsign-credential-cache/README.md This snippet shows how to start the credential cache in the background and export the necessary environment variable for Gitsign to use the cache. ```sh $ gitsign-credential-cache & $ export GITSIGN_CREDENTIAL_CACHE="$HOME/.cache/sigstore/gitsign/cache.sock" $ git commit ... ``` -------------------------------- ### Install systemd user units for gitsign-credential-cache Source: https://github.com/sigstore/gitsign/blob/main/cmd/gitsign-credential-cache/README.md Installs the gitsign-credential-cache socket and service units into the user's systemd configuration directory and reloads the systemd daemon. ```sh install -m 0660 -D -t $HOME/.config/systemd/user/ ./contrib/gitsign-credential-cache.{socket,service} systemctl --user daemon-reload ``` -------------------------------- ### Example Git Commit Message Source: https://github.com/sigstore/gitsign/blob/main/CONTRIBUTORS.md Follow this format for well-formed commit messages to aid reviewers and the release process. The first line is a concise summary, followed by a blank line, and then a more detailed explanation. ```git Summarize changes in around 50 characters or less More detailed explanatory text, if necessary. Wrap it to about 72 characters or so. In some contexts, the first line is treated as the subject of the commit and the rest of the text as the body. The blank line separating the summary from the body is critical (unless you omit the body entirely); various tools like `log`, `shortlog` and `rebase` can get confused if you run the two together. Explain the problem that this commit is solving. Focus on why you are making this change as opposed to how (the code explains that). Are there side effects or other unintuitive consequences of this change? Here's the place to explain them. Further paragraphs come after blank lines. - Bullet points are okay, too - Typically a hyphen or asterisk is used for the bullet, preceded by a single space, with blank lines in between, but conventions vary here If you use an issue tracker, put references to them at the bottom, like this: Resolves: #123 See also: #456, #789 ``` -------------------------------- ### Configure Timestamp URL Source: https://github.com/sigstore/gitsign/blob/main/docs/timestamp.md Set the local Git configuration to use a specific TSA for timestamping during commits. This is a one-time setup. ```shell $ git config --local gitsign.timestampURL http://timestamp.digicert.com $ git commit ``` -------------------------------- ### gitsign version Command Usage Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_version.md This snippet shows the basic command structure for retrieving the gitsign version. Use this command to check the installed version of gitsign. ```bash gitsign version [flags] ``` -------------------------------- ### Initialize Sigstore Root with Custom Mirror and Output Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_initialize.md Initializes the Sigstore root specifying a custom mirror URL and an output file path for the root configuration. ```bash gitsign initialize -mirror -out ``` -------------------------------- ### Initialize Sigstore Root with Out-of-Band Root Key and Custom Mirror Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_initialize.md Initializes the Sigstore root with both an out-of-band root key file and a custom repository mirror URL. ```bash gitsign initialize -mirror -root ``` -------------------------------- ### Initialize Sigstore Root with Out-of-Band Root Key Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_initialize.md Initializes the Sigstore root using an out-of-band root key file, while still utilizing the default repository mirror. ```bash gitsign initialize -root ``` -------------------------------- ### Bundle Signing Steps Source: https://github.com/sigstore/gitsign/blob/main/docs/bundle-cms.md Illustrates the sequence of operations for producing a signature bundle and converting it to a CMS object. ```go BuildSignedAttributes(body) -> (SignedAttrs, marshaled-for-signing) sign.Bundle(PlainData{marshaled}, ...) -> bundle (signature + cert + tlog) BundleToSignedData(body, SignedAttrs, b) -> cms.SignedData (stored as the signature) ``` -------------------------------- ### Sign and Verify Data with CMS Source: https://github.com/sigstore/gitsign/blob/main/internal/fork/ietf-cms/README.md Demonstrates how to sign a message using a certificate and key, and then verify the signature. The signed data includes the original message. ```go msg := []byte("some data") cert, _ := x509.ParseCertificate(someCertificateData) key, _ := x509.ParseECPrivateKey(somePrivateKeyData) der, _ := cms.Sign(msg, []*x509.Certificate{cert}, key) //// /// At another time, in another place... // sd, _ := ParseSignedData(der) if err, _ := sd.Verify(x509.VerifyOptions{}); err != nil { panic(err) } ``` -------------------------------- ### Initialize Sigstore Root Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_initialize.md Initializes the Sigstore root using default settings, including the embedded trusted TUF root and the default Sigstore remote TUF repository mirror. ```bash gitsign initialize ``` -------------------------------- ### Enable Sigstore-Go Path Source: https://github.com/sigstore/gitsign/blob/main/docs/bundle-cms.md Configuration commands to enable the experimental sigstore-go signing path. This requires offline Rekor mode. ```sh git config gitsign.enableSigstoreGo true # or: GITSIGN_ENABLE_SIGSTORE_GO=true ``` -------------------------------- ### Display Gitsign Version and Configuration Source: https://github.com/sigstore/gitsign/blob/main/README.md Run `gitsign --version` to display the current version and the parsed configuration details. This is useful for validating unexpected configuration values. ```sh $ gitsign --version gitsign version v0.5.2 parsed config: { "Fulcio": "https://fulcio.sigstore.dev", "FulcioRoot": "", "Rekor": "https://rekor.sigstore.dev", "ClientID": "sigstore", "RedirectURL": "", "Issuer": "https://oauth2.sigstore.dev/auth", "ConnectorID": "", "TimestampURL": "", "TimestampCert": "", "LogPath": "" } ``` -------------------------------- ### Sign and Verify Detached Data with CMS Source: https://github.com/sigstore/gitsign/blob/main/internal/fork/ietf-cms/README.md Demonstrates how to create and verify detached signatures using the CMS package. A detached signature does not include the original message in the signed data. ```go msg := []byte("some data") cert, _ := x509.ParseCertificate(someCertificateData) key, _ := x509.ParseECPrivateKey(somePrivateKeyData) der, _ := cms.SignDetached(msg, cert, key) //// /// At another time, in another place... // sd, _ := ParseSignedData(der) if err, _ := sd.VerifyDetached(msg, x509.VerifyOptions{}); err != nil { panic(err) } ``` -------------------------------- ### Sample Encoded TransparencyLogEntry Source: https://github.com/sigstore/gitsign/blob/main/docs/verification.md This is a sample of a Protobuf encoded Rekor TransparencyLogEntry. It includes various attributes related to the signed commit or tag, such as object identifiers, checksums, and timestamps. This format is used to ensure transparency and verifiability of the signature. ```text unauth_attr: object: Rekor TransparencyLogEntry proto (1.3.6.1.4.1.57264.3.1) value.set: OCTET STRING: 0000 - 08 af d5 d6 08 12 22 0a-20 c0 d2 3d 6a ......". ..=j 000d - d4 06 97 3f 95 59 f3 ba-2d 1c a0 1f 84 ...?.Y..-.... 001a - 14 7d 8f fc 5b 84 45 c2-24 f9 8b 95 91 .}..[.E.$.... 0027 - 80 1d 1a 15 0a 0c 68 61-73 68 65 64 72 ......hashedr 0034 - 65 6b 6f 72 64 12 05 30-2e 30 2e 31 20 ekord..0.0.1 0041 - a1 fc f5 a1 06 2a 49 0a-47 30 45 02 21 .....*I.G0E.! 004e - 00 fd ab 1a 0d 0b 39 fe-d5 0f f2 4d 87 ......9....M. 005b - 40 06 bd 2d 84 e8 ca d8-a2 39 99 e5 d9 @..-.....9... 0068 - 8a 3e b2 48 04 44 67 02-20 15 a5 02 7a .>.H.Dg. ...z 0075 - 61 0b d1 58 46 81 b1 ff-53 e8 46 be b3 a..XF...S.F.. 0082 - 70 9b f1 55 07 0c e8 32-bb 61 4e aa ce p..U...2.aN.. 008f - 61 16 32 81 05 08 c8 c6-d8 06 12 20 3f a.2........ ? 009c - 5f bc 03 da 94 4e 17 05-44 a8 c2 1b e9 _....N..D.... 00a9 - a7 6c 84 7d 39 66 4b 07-2f c2 7b 49 3d .l.}9fK./.{I= 00b6 - 2b da 9a 84 30 18 c9 c6-d8 06 22 20 34 +...0....." 4 00c3 - 8d 79 2a f5 5b 0d e8 8f-6e 6b 3f 39 8e .y*.[...nk?9. 00d0 - 43 02 2a d3 b3 c3 6b d5-d1 c6 84 cd 7f C.*...k...... 00dd - 08 24 2f a6 6e 22 20 64-47 c9 39 2b 77 .$/.n" dG.9+w 00ea - ba 3b b5 36 7f bd ea 8f-36 ef 32 33 14 .;.6....6.23. 00f7 - 2a e2 ec 2d 57 51 a6 4b-8f 00 59 d2 5e *..-WQ.K..Y.^ 0104 - 22 20 c0 d8 57 e5 d0 82-b2 b8 cf 26 b0 " ..W......&. 0111 - 58 e3 85 e5 71 ba 34 ab-5c 1b 49 5a 5e X...q.4.\.IZ^ 011e - c4 20 7b 7a 47 d6 02 0b-22 20 21 52 30 . {zG..." !R0 012b - e1 48 37 62 5c 39 56 bc-78 a6 84 d5 c3 .H7b\9V.x.... 0138 - df 3d ea e4 75 80 07 a3-25 b9 c9 42 e6 .=..u...%..B. 0145 - 34 8e 49 22 20 4a 88 54-e3 e8 ed dd f0 4.I" J.T..... 0152 - 4b f4 e2 95 55 da a8 44-be 87 85 e6 d9 K...U..D..... 015f - 57 52 8f 97 b3 3a d3 d7-96 32 f9 22 20 WR...:...2." 016c - 35 b2 b6 5b 9f 02 a8 bc-7d d2 f8 64 30 5..[....}..d0 0179 - d5 04 b1 c4 bb 2e 0c c8-bd 00 18 52 bb ...........R. 0186 - 40 ad 84 6c 2d 68 22 20-4c 82 cf f1 63 @..l-h" L...c 0193 - 90 df b5 b4 3a 8b 0f bf-04 43 3e 52 0e ....:....C>R. 01a0 - ef f6 d0 0e d3 c0 01 31-b1 8f 1b 68 82 .......1...h. 01ad - 74 22 20 ec 4c 65 15 56-3a 67 6a 41 1e t" .Le.V:gjA. 01ba - 44 ad 06 b2 df 2d ff da-2c 03 77 87 ee D....-.., .w.. 01c7 - ba 00 c9 5b c3 b5 34 59-55 22 20 d6 30 ...[..4YU" .0 01d4 - 92 c2 27 78 05 dc b4 cb-36 1b ea 6e 09 ..'x....6..n. 01e1 - ac 7e d9 e9 e9 19 27 24-b8 f5 1e 57 e5 .~....'$...W. 01ee - 4b df 35 31 22 20 9e 04-00 66 df e5 f0 K.51" ...f... 01fb - 20 04 65 83 86 ac 66 cf-0b b6 ff e8 57 .e...f.....W 0208 - ed 71 cb 33 7c 7f 55 45-ec f4 55 8b 2a .q.3|.UE..U.* 0215 - fe 01 0a fb 01 72 65 6b-6f 72 2e 73 69 .....rekor.si 0222 - 67 73 74 6f 72 65 2e 64-65 76 20 2d 20 gstore.dev - 022f - 32 36 30 35 37 33 36 36-37 30 39 37 32 2605736670972 023c - 37 39 34 37 34 36 0a 31-34 30 33 33 37 794746.140337 0249 - 33 37 0a 50 31 2b 38 41-39 71 55 54 68 37.P1+8A9qUTh 0256 - 63 46 52 4b 6a 43 47 2b-6d 6e 62 49 52 cFRKjCG+mnbIR 0263 - 39 4f 57 5a 4c 42 79 2f-43 65 30 6b 39 9OWZLBy/Ce0k9 0270 - 4b 39 71 61 68 44 41 3d-0a 54 69 6d 65 K9qahDA=.Time 027d - 73 74 61 6d 70 3a 20 31-36 38 31 37 35 stamp: 168175 028a - 31 35 38 35 32 37 34 35-37 36 37 30 31 1585274576701 0297 - 0a 0a e2 80 94 20 72 65-6b 6f 72 2e 73 ..... rekor.s 02a4 - 69 67 73 74 6f 72 65 2e-64 65 76 20 77 igstore.dev w 02b1 - 4e 49 39 61 6a 42 45 41-69 42 31 56 4a NI9ajBEAiB1VJ 02be - 48 46 6e 34 47 4e 63 32-65 38 65 42 78 HFn4GNc2e8eBx 02cb - 48 6f 4b 41 6c 56 6f 77-44 77 4a 51 72 HoKAlVowDwJQr 02d8 - 34 32 53 50 56 37 64 2f-6e 72 73 47 34 42SPV7d/nrsG4 02e5 - 77 49 67 4c 49 73 36 77-2b 59 75 39 42 wIgLIs6w+Yu9B 02f2 - 2f 35 2b 73 6b 6e 72 51-65 36 58 33 72 /5+sknrQe6X3r 02ff - 68 6e 6b 41 65 6a 6d 76-55 6d 4d 5a 5a hnkAejmvUmMZZ ``` -------------------------------- ### View Tree Attestations Source: https://github.com/sigstore/gitsign/blob/main/internal/commands/attest/README.md After adding tree attestations, you can check out the `refs/attestations/trees` reference to view the stored attestations. ```sh $ git checkout refs/attestations/trees $ tree . . ├── 853a6ca8dd0e1fb84d67c397f6d8daac5926176c │ ├── test.json │ └── test.json.sig ``` -------------------------------- ### View Commit Attestations Source: https://github.com/sigstore/gitsign/blob/main/internal/commands/attest/README.md After adding commit attestations, you can check out the `refs/attestations/commits` reference to view the stored attestations. ```sh $ git checkout refs/attestations/commits $ tree . . └── f44de7aee552f119f94d70137b3bebb93f6bca5d ├── sbom.spdx ├── sbom.spdx.sig ├── test.json └── test.json.sig ``` -------------------------------- ### gitsign show Command Options Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_show.md Available options for the gitsign show command, including help and specifying a Git remote. ```bash -h, --help help for show -r, --remote string git remote (used to populate subject) (default "origin") ``` -------------------------------- ### Inspect Certificate Details with OpenSSL Source: https://github.com/sigstore/gitsign/blob/main/docs/verification.md This command decodes the base64 encoded certificate and then uses `openssl x509 -text` to display the certificate's details, including issuer, validity period, subject public key info, and extensions. ```sh $ echo $cert | base64 --decode | openssl x509 -text ``` -------------------------------- ### Gitsign CLI Usage Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign.md Basic usage of the gitsign command. This is the entry point for all gitsign operations. ```bash gitsign [flags] ``` -------------------------------- ### Create Launchd Plist for Gitsign Credential Cache Source: https://github.com/sigstore/gitsign/blob/main/cmd/gitsign-credential-cache/README.md This script generates a .plist file required for the launchd service on macOS. It configures the service to run at load, specifies program arguments, and sets standard output and error paths. ```shell cat << EOF > "${plist_path}" KeepAlive Label my.gitsign-credential-cache ProgramArguments /opt/homebrew/bin/gitsign-credential-cache RunAtLoad StandardErrorPath /opt/homebrew/var/log/gitsign-credential-cache.log StandardOutPath /opt/homebrew/var/log/gitsign-credential-cache.log EOF ``` -------------------------------- ### Configure Git for GitHub Actions Committer Verification Source: https://github.com/sigstore/gitsign/blob/main/docs/committer-verification.md Configure the Git user name to match the expected SAN URI in the Fulcio certificate for automated users. Also, set a placeholder user email for GitHub UI recognition. ```sh # This configures the SAN URI for the expected identity in the Fulcio cert. $ git config user.name "https://myorg/myrepo/path/to/workflow" # This configures GitHub UI to recognize the commit as coming from a GitHub Action. $ git config user.email 1234567890+github-actions@users.noreply.github.com ``` -------------------------------- ### Parse CMS Signature and Convert to Sigstore Bundle Source: https://github.com/sigstore/gitsign/blob/main/docs/bundle-cms.md This snippet demonstrates the process of parsing a PEM-encoded CMS signature and projecting its signer information onto a Sigstore bundle and artifact. The artifact is the marshaled SignedAttrs, which must be passed to verifiers as it contains the message digest. ```go ParseSignaturePEM(sig) -> cms.SignedData SignerInfoToBundle(sd, signer) -> { Bundle, Artifact } ``` -------------------------------- ### macOS launchctl script for gitsign-credential-cache Source: https://github.com/sigstore/gitsign/blob/main/cmd/gitsign-credential-cache/README.md This bash script sets up and checks for necessary Gitsign commands and directories before creating a launchctl plist file for running gitsign-credential-cache as a macOS service. ```bash #!/bin/bash set -euo pipefail if ! command -v gitsign &> /dev/null; then echo "gitsign command not found. Please install it before running this script: https://docs.sigstore.dev/signing/gitsign/" exit 1 fi if ! command -v gitsign-credential-cache &> /dev/null; then echo "gitsign-credential-cache command not found. Please install it before running this script: 'go install github.com/sigstore/gitsign/cmd/gitsign-credential-cache@latest'" exit 1 fi launch_agents_dir="${HOME}/Library/LaunchAgents" plist_name="my.gitsign-credential-cache.plist" plist_path="${launch_agents_dir}/${plist_name}" gitsign_cache_dir="${HOME}/Library/Caches/sigstore/gitsign" gitsign_cache_path="${gitsign_cache_dir}/cache.sock" if [ -f "${plist_path}" ]; then echo "The plist file ${plist_path} already exists. Please remove it or use a different name." exit 1 fi if [ -f "${gitsign_cache_path}" ]; then echo "The gitsign cache path ${gitsign_cache_path} already exists. Please remove it or use a different name." exit 1 fi mkdir -pv "${launch_agents_dir}" ``` -------------------------------- ### Set Fulcio Server Locally Source: https://github.com/sigstore/gitsign/blob/main/README.md Configure the Fulcio server address for a specific repository using git config. ```sh $ git config --local gitsign.fulcio https://fulcio.example.com ``` -------------------------------- ### Configure Gitsign for All Repositories Source: https://github.com/sigstore/gitsign/blob/main/README.md Configure Gitsign globally to automatically sign commits and tags for all repositories. This requires an internet connection. ```sh git config --global gpg.x509.program gitsign # Use gitsign for signing git config --global gpg.format x509 # gitsign expects x509 args # Warning: Setting this will make git commit/tag reliant on internet. # Alternatively, don't use these settings and add the -S flag instead. git config --global commit.gpgsign true # Sign all commits git config --global tag.gpgsign true # Sign all tags ``` -------------------------------- ### gitsign version Help Flag Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_version.md This snippet displays the help flag available for the gitsign version command. It shows how to access help information for this specific command. ```bash -h, --help help for version ``` -------------------------------- ### Sample PKCS7 Signed Data Structure Source: https://github.com/sigstore/gitsign/blob/main/docs/timestamp.md A detailed breakdown of a PKCS7 signed data structure, including certificate information, issuer, validity, subject, and various extensions. This is provided for reference and understanding the components of a signature. ```text PKCS7: type: pkcs7-signedData (1.2.840.113549.1.7.2) d.sign: version: 1 md_algs: algorithm: sha256 (2.16.840.1.101.3.4.2.1) parameter: contents: type: pkcs7-data (1.2.840.113549.1.7.1) d.data: cert: cert_info: version: 2 serialNumber: 0x0DF7625EECD9A10EB6290E515E1931EAE3AD770C signature: algorithm: ecdsa-with-SHA384 (1.2.840.10045.4.3.3) parameter: issuer: O=sigstore.dev, CN=sigstore-intermediate validity: notBefore: Nov 28 18:34:56 2022 GMT notAfter: Nov 28 18:44:56 2022 GMT subject: key: algor: algorithm: id-ecPublicKey (1.2.840.10045.2.1) parameter: OBJECT:prime256v1 (1.2.840.10045.3.1.7) public_key: (0 unused bits) 0000 - 04 c3 23 27 2b 1d 8d 28-ef b5 2b 43 7d fa ..#'+..(..+C}. 000e - 2d 3e cc 4d a4 9b ee 29-cf 68 3e 20 e1 ce ->.M...).h> .. 001c - a5 c8 f4 89 53 57 aa 63-8f 09 da a6 60 88 ....SW.c....`. 002a - 8e 1b 55 33 77 a7 aa 1b-0f a7 92 73 5c 80 ..U3w......s\. 0038 - c3 f8 b7 f2 d9 0b 1a 68-bd .......h. issuerUID: subjectUID: extensions: object: X509v3 Key Usage (2.5.29.15) critical: TRUE value: 0000 - 03 02 07 80 .... object: X509v3 Extended Key Usage (2.5.29.37) critical: BOOL ABSENT value: 0000 - 30 0a 06 08 2b 06 01 05-05 07 03 03 0...+....... object: X509v3 Subject Key Identifier (2.5.29.14) critical: BOOL ABSENT value: 0000 - 04 14 9c 25 58 18 16 a0-ae 74 77 51 93 ...%X....twQ. 000d - fb 6e 63 55 cf 00 a9 24-7f .ncU...$. object: X509v3 Authority Key Identifier (2.5.29.35) critical: BOOL ABSENT value: 0000 - 30 16 80 14 df d3 e9 cf-56 24 11 96 f9 0.......V$... 000d - a8 d8 e9 28 55 a2 c6 2e-18 64 3f ...(U....d? object: X509v3 Subject Alternative Name (2.5.29.17) critical: TRUE value: 0000 - 30 16 81 14 62 69 6c 6c-79 40 63 68 61 0...billy@cha 000d - 69 6e 67 75 61 72 64 2e-64 65 76 inguard.dev object: undefined (1.3.6.1.4.1.57264.1.1) critical: BOOL ABSENT value: 0000 - 68 74 74 70 73 3a 2f 2f-61 63 63 6f 75 https://accou 000d - 6e 74 73 2e 67 6f 6f 67-6c 65 2e 63 6f nts.google.co 001a - 6d m object: undefined (1.3.6.1.4.1.11129.2.4.2) critical: BOOL ABSENT value: 0000 - 04 7a 00 78 00 76 00 dd-3d 30 6a c6 c7 .z.x.v..=0j.. 000d - 11 32 63 19 1e 1c 99 67-37 02 a2 4a 5e .2c....g7..J^ 001a - b8 de 3c ad ff 87 8a 72-80 2f 29 ee 8e ..<....r./).. 0027 - 00 00 01 84 bf 85 54 75-00 00 04 03 00 ......Tu..... 0034 - 47 30 45 02 21 00 ca ea-6a 46 60 ff 87 G0E.!...jF`.. 0041 - 36 2a ec 6c 8d 81 ae 61-a4 83 78 96 59 6*.l...a..x.Y 004e - b0 57 e3 27 b4 35 8d 49-dd 53 9f 52 02 .W.'.5.I.S.R. 005b - 20 67 8c b5 4a 35 2c 67-d3 1d db ba 42 g..J5,g....B 0068 - 09 0d a8 24 e4 65 c1 68-f9 6f 74 25 d9 ...$.e.h.ot%. 0075 - 6b 3b eb a3 c2 fe e6 k;..... sig_alg: algorithm: ecdsa-with-SHA384 (1.2.840.10045.4.3.3) parameter: signature: (0 unused bits) 0000 - 30 66 02 31 00 99 63 90-80 70 11 6a 56 26 57 0f.1..c..p.jV&W 000f - 27 3b d8 6b 62 ce 64 88-68 fb 00 01 72 11 f6 ';.kb.d.h...r.. 001e - 33 eb f6 28 c5 b8 5c 15-6e 9e 4a 47 84 d4 24 3..(.. .J G..$ 002d - f4 ad fe e5 36 d4 fa 30-02 31 00 d2 81 e0 5b ....6..0.1....[ 003c - 00 bb c3 8b 0a 3f e2 df-01 47 1c 1a 69 4a 70 .....?...G..iJp ``` -------------------------------- ### Sign a Git Tag with Gitsign Source: https://github.com/sigstore/gitsign/blob/main/README.md Use this command to sign a Git tag. Your browser will open for authentication. ```sh $ git tag v0.0.1 Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&... ``` -------------------------------- ### gitsign verify Options Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_verify.md These flags allow for detailed configuration of the verification process, including specifying expected certificate identities, OIDC issuers, and handling of Signed Certificate Timestamps (SCTs). ```bash --certificate-github-workflow-name string contains the workflow claim from the GitHub OIDC Identity token that contains the name of the executed workflow. --certificate-github-workflow-ref string contains the ref claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon. --certificate-github-workflow-repository string contains the repository claim from the GitHub OIDC Identity token that contains the repository that the workflow run was based upon --certificate-github-workflow-sha string contains the sha claim from the GitHub OIDC Identity token that contains the commit SHA that the workflow run was based upon. --certificate-github-workflow-trigger string contains the event_name claim from the GitHub OIDC Identity token that contains the name of the event that triggered the workflow run --certificate-identity string The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows. --certificate-identity-regexp string A regular expression alternative to --certificate-identity. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows. --certificate-oidc-issuer string The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. --certificate-oidc-issuer-regexp string A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. -h, --help help for verify --insecure-ignore-sct when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. ``` -------------------------------- ### Gitsign CLI Options Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign.md Lists the available flags for the gitsign command, controlling aspects like output format, signature type, and user identification. ```bash gitsign [flags] ### Options ``` -a, --armor create ascii armored output -b, --detach-sign make a detached signature -h, --help help for gitsign --include-certs int -3 is the same as -2, but omits issuer when cert has Authority Information Access extension. -2 includes all certs except root. -1 includes all certs. 0 includes no certs. 1 includes leaf cert. >1 includes n from the leaf. Default -2. (default -2) -u, --local-user string use USER-ID to sign -s, --sign make a signature --status-fd int write special status strings to the file descriptor n. (default -1) -v, --verify verify a signature --version print Gitsign version ``` ``` -------------------------------- ### gitsign attest command Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_attest.md The basic command structure for attesting Git objects. Use flags to specify the attestation filepath and object type. ```bash gitsign attest [flags] ``` -------------------------------- ### Add Timestamps to CMS Signatures Source: https://github.com/sigstore/gitsign/blob/main/internal/fork/ietf-cms/README.md Shows how to add RFC3161 timestamps to CMS signatures to prove the existence of the signature at a specific time. Verification functions implicitly verify these timestamps. ```go signedData, _ := NewSignedData([]byte("Hello, world!")) signedData.Sign(identity.Chain(), identity.PrivateKey) signedData.AddTimestamps("http://timestamp.digicert.com") derEncoded, _ := signedData.ToDER() io.Copy(os.Stdout, bytes.NewReader(derEncoded)) ``` -------------------------------- ### gitsign show Command Usage Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_show.md Basic usage of the gitsign show command. Specify a revision to show its predicate information, or omit it to use HEAD. ```bash gitsign show [revision] [flags] ``` -------------------------------- ### Add Commit Attestation Source: https://github.com/sigstore/gitsign/blob/main/internal/commands/attest/README.md Signs and attaches an attestation file to the latest commit. Data is stored in `refs/attestations/commits`. ```sh $ gitsign-attest -f test.json $ gitsign-attest -f spdx.sbom --type spdx ``` -------------------------------- ### Add Tree Attestation Source: https://github.com/sigstore/gitsign/blob/main/internal/commands/attest/README.md Signs and attaches an attestation file to the latest commit's tree. Data is stored in `refs/attestations/trees`. ```sh $ gitsign-attest -f test.json --objtype tree ``` -------------------------------- ### Tail Gitsign Credential Cache Logs Source: https://github.com/sigstore/gitsign/blob/main/cmd/gitsign-credential-cache/README.md This command shows how to monitor the log file for the gitsign credential cache service in real-time, which is useful for debugging and observing its activity. ```shell tail -f /opt/homebrew/var/log/gitsign-credential-cache.log ``` -------------------------------- ### Verify Blob Signature with Cosign Source: https://github.com/sigstore/gitsign/blob/main/docs/verification.md This command uses `cosign verify-blob` to verify the signature against the commit content, using the extracted certificate and signature. It decodes the base64 encoded certificate and signature before verification. ```sh $ cosign verify-blob --cert <(echo $cert | base64 --decode) --signature <(echo $sig | base64 --decode) <(git rev-parse HEAD | tr -d '\n') ``` -------------------------------- ### Sign a Git Commit with Gitsign Source: https://github.com/sigstore/gitsign/blob/main/README.md Use this command to sign an empty commit. Your browser will open for authentication. ```sh $ git commit --allow-empty --message="Signed commit" Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&... [main 040b9af] Signed commit ``` -------------------------------- ### Configure Shell Environment for Gitsign Source: https://github.com/sigstore/gitsign/blob/main/cmd/gitsign-credential-cache/README.md This script snippet checks for .zshrc or .bashrc and appends the GITSIGN_CREDENTIAL_CACHE environment variable export line if it doesn't already exist. This ensures the cache path is available in new shell sessions. ```shell if [ ! -d "${gitsign_cache_dir}" ]; then echo "The gitsign cache directory ${gitsign_cache_dir} does not exist. Creating it now." mkdir -pv "${gitsign_cache_dir}" fi export GITSIGN_CREDENTIAL_CACHE="${gitsign_cache_path}" if [ -f "${HOME}/.zshrc" ]; then shell_config_file="${HOME}/.zshrc" elif [ -f "${HOME}/.bashrc" ]; then shell_config_file="${HOME}/.bashrc" else echo "No .bashrc or .zshrc found in your home directory." exit 1 fi export_line="export GITSIGN_CREDENTIAL_CACHE=\"${gitsign_cache_path}\"" if ! grep -qF -- "${export_line}" "${shell_config_file}"; then echo "${export_line}" >> "${shell_config_file}" echo "Added GITSIGN_CREDENTIAL_CACHE to ${shell_config_file}. Please restart your shell to apply the changes: 'source ${shell_config_file}'" else echo "GITSIGN_CREDENTIAL_CACHE already exists in ${shell_config_file}!" fi ``` -------------------------------- ### gitsign verify Command Synopsis Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_verify.md This is the basic command structure for verifying a commit. If no specific commit is provided, it defaults to verifying the HEAD commit. ```bash gitsign verify [commit] [flags] ``` -------------------------------- ### gitsign verify-tag Command Synopsis Source: https://github.com/sigstore/gitsign/blob/main/docs/cli/gitsign_verify-tag.md This is the basic command structure for verifying a Git tag using gitsign. It requires the tag name as an argument and accepts various flags for detailed verification. ```bash gitsign verify-tag [flags] ``` -------------------------------- ### Configure Gitsign for a Single Repository Source: https://github.com/sigstore/gitsign/blob/main/README.md Configure Gitsign for a specific repository to automatically sign commits and tags. This requires an internet connection. ```sh cd /path/to/my/repository git config --local gpg.x509.program gitsign # Use gitsign for signing git config --local gpg.format x509 # gitsign expects x509 args # Warning: Setting this will make git commit/tag reliant on internet. # Alternatively, don't use these settings and add the -S flag instead. git config --local commit.gpgsign true # Sign all commits git config --local tag.gpgsign true # Sign all tags ``` -------------------------------- ### Search Rekor for Commit SHA Source: https://github.com/sigstore/gitsign/blob/main/docs/verification.md This command searches the Rekor transparency log for an entry matching the provided commit SHA. It outputs the UUID of the matching log entry. ```sh $ uuid=$(rekor-cli search --artifact <(git rev-parse HEAD | tr -d '\n') | tail -n 1) $ rekor-cli get --uuid=$uuid --format=json | jq . ``` -------------------------------- ### Inspect Git Commit Signature with OpenSSL Source: https://github.com/sigstore/gitsign/blob/main/README.md This command extracts the CMS/PKCS7 signature from a Git commit and uses OpenSSL to print its details, including certificates and signature algorithms. It's useful for verifying the integrity and details of a commit's signature. ```sh $ git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text ``` -------------------------------- ### Configure TSA Certificate Source: https://github.com/sigstore/gitsign/blob/main/docs/timestamp.md Set the local Git configuration to use a specific PEM-encoded TSA certificate chain for verification. This is useful when your system's default certificate pool is insufficient. ```sh $ git config --local gitsign.timestampCert tsa.pem ``` -------------------------------- ### Squashing Commits with Git Rebase Source: https://github.com/sigstore/gitsign/blob/main/CONTRIBUTORS.md Use this command to interactively rebase and squash multiple commits into one. This is useful for cleaning up a pull request before merging. ```git git rebase -i HEAD~3 ``` -------------------------------- ### Extract Signature and Certificate from Rekor Entry Source: https://github.com/sigstore/gitsign/blob/main/docs/verification.md These commands extract the signature content and public key (certificate) from a Rekor log entry using `jq`. The extracted values are stored in shell variables for further use. ```sh $ sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content) $ cert=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.publicKey.content) ``` -------------------------------- ### Configure SSH RemoteForward for gitsign credential cache Source: https://github.com/sigstore/gitsign/blob/main/cmd/gitsign-credential-cache/README.md This configuration snippet for ~/.ssh/config sets up automatic remote forwarding for the gitsign credential cache socket when connecting to a specific host. ```sh Host amazon RemoteForward /home/wlynch/.cache/sigstore/cache.sock /Users/wlynch/Library/Caches/sigstore/gitsign/cache.sock ```