Package dev.sigstore
Class KeylessSigner
- java.lang.Object
-
- dev.sigstore.KeylessSigner
-
- All Implemented Interfaces:
java.lang.AutoCloseable
public class KeylessSigner extends java.lang.Object implements java.lang.AutoCloseableA full sigstore keyless signing flow.Note: the implementation is thread-safe assuming the clients (Fulcio, OIDC, Rekor) are thread-safe
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classKeylessSigner.Builder
-
Field Summary
Fields Modifier and Type Field Description static java.time.DurationDEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIMEThe instance of theKeylessSignerwill try to reuse a previously acquired certificate if the expiration time on the certificate is more thanminSigningCertificateLifetimetime away.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description static KeylessSigner.Builderbuilder()voidclose()Bundlesign(byte[] artifactDigest)Convenience wrapper aroundsign(List)to sign a single digestjava.util.List<Bundle>sign(java.util.List<byte[]> artifactDigests)Sign one or more artifact digests using the keyless signing workflow.BundlesignFile(java.nio.file.Path artifact)Convenience wrapper aroundsign(List)to accept a single fileBundlesignFile2(java.nio.file.Path artifact)Deprecated.java.util.Map<java.nio.file.Path,Bundle>signFiles(java.util.List<java.nio.file.Path> artifacts)Convenience wrapper aroundsign(List)to accept files instead of digests
-
-
-
Field Detail
-
DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME
public static final java.time.Duration DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME
The instance of theKeylessSignerwill try to reuse a previously acquired certificate if the expiration time on the certificate is more thanminSigningCertificateLifetimetime away. Otherwise, it will make a new request (OIDC, Fulcio) to obtain a new updated certificate to use for signing. This is a default value for the remaining lifetime of the signing certificate that is considered good enough.
-
-
Method Detail
-
close
public void close()
- Specified by:
closein interfacejava.lang.AutoCloseable
-
builder
@CheckReturnValue public static KeylessSigner.Builder builder()
-
sign
@CheckReturnValue public java.util.List<Bundle> sign(java.util.List<byte[]> artifactDigests) throws KeylessSignerException
Sign one or more artifact digests using the keyless signing workflow. The oidc/fulcio dance to obtain a signing certificate will only occur once. The same ephemeral private key will be used to sign all artifacts. This method will renew certificates as they expire.- Parameters:
artifactDigests- sha256 digests of the artifacts to sign.- Returns:
- a list of keyless singing results.
- Throws:
KeylessSignerException
-
sign
@CheckReturnValue public Bundle sign(byte[] artifactDigest) throws KeylessSignerException
Convenience wrapper aroundsign(List)to sign a single digest- Parameters:
artifactDigest- sha256 digest of the artifact to sign.- Returns:
- a keyless singing results.
- Throws:
KeylessSignerException
-
signFiles
@CheckReturnValue public java.util.Map<java.nio.file.Path,Bundle> signFiles(java.util.List<java.nio.file.Path> artifacts) throws KeylessSignerException
Convenience wrapper aroundsign(List)to accept files instead of digests- Parameters:
artifacts- list of the artifacts to sign.- Returns:
- a map of artifacts and their keyless singing results.
- Throws:
KeylessSignerException
-
signFile
@CheckReturnValue public Bundle signFile(java.nio.file.Path artifact) throws KeylessSignerException
Convenience wrapper aroundsign(List)to accept a single file- Parameters:
artifact- the artifacts to sign- Returns:
- a sigstore bundle
- Throws:
KeylessSignerException
-
signFile2
@Deprecated public Bundle signFile2(java.nio.file.Path artifact) throws KeylessSignerException
Deprecated.Convenience wrapper aroundsign(List)to accept a single file Compat - to be removed before 1.0.0- Throws:
KeylessSignerException
-
-