Package dev.sigstore
Class KeylessSigner.Builder
java.lang.Object
dev.sigstore.KeylessSigner.Builder
- Enclosing class:
- KeylessSigner
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionallowedOidcIdentities(List<OidcTokenMatcher> oidcIdentities) An allow list OIDC identities to be used during signing.build()enableRekorV2(boolean enableRekorV2) forceCredentialProviders(OidcClients oidcClients) Override the default set of credential providers (ambient + signingConfig).minSigningCertificateLifetime(Duration minSigningCertificateLifetime) The instance of theKeylessSignerwill try to reuse a previously acquired certificate if the expiration time on the certificate is more thanminSigningCertificateLifetimetime away.oidcClients(OidcClients oidcClients) Deprecated, for removal: This API element is subject to removal in a future version.signingAlgorithm(AlgorithmRegistry.SigningAlgorithm signingAlgorithm) signingConfigProvider(SigningConfigProvider signingConfigProvider) Initialize a builder with the sigstore public good instance tuf root and oidc targets with ecdsa signing.Initialize a builder with the sigstore staging instance tuf root and oidc targets with ecdsa signing.trustedRootProvider(TrustedRootProvider trustedRootProvider)
-
Constructor Details
-
Builder
public Builder()
-
-
Method Details
-
trustedRootProvider
@CanIgnoreReturnValue public KeylessSigner.Builder trustedRootProvider(TrustedRootProvider trustedRootProvider) -
signingConfigProvider
@CanIgnoreReturnValue public KeylessSigner.Builder signingConfigProvider(SigningConfigProvider signingConfigProvider) -
enableRekorV2
-
oidcClients
Deprecated, for removal: This API element is subject to removal in a future version.Deprecated, useforceCredentialProviders(dev.sigstore.oidc.client.OidcClients). sigstore-gradle requires a one version deprecation window, so keep this in here until we've done another release. -
forceCredentialProviders
@CanIgnoreReturnValue public KeylessSigner.Builder forceCredentialProviders(OidcClients oidcClients) Override the default set of credential providers (ambient + signingConfig). It should be very unusual for anyone to override this outside of testing scenarios. -
allowedOidcIdentities
@CanIgnoreReturnValue public KeylessSigner.Builder allowedOidcIdentities(List<OidcTokenMatcher> oidcIdentities) An allow list OIDC identities to be used during signing. If the OidcClients are misconfigured or pick up unexpected credentials, this should prevent signing from proceeding. Cannot be null but can be an empty list and will allow all identities. -
signingAlgorithm
@CanIgnoreReturnValue public KeylessSigner.Builder signingAlgorithm(AlgorithmRegistry.SigningAlgorithm signingAlgorithm) -
minSigningCertificateLifetime
@CanIgnoreReturnValue public KeylessSigner.Builder minSigningCertificateLifetime(Duration minSigningCertificateLifetime) The instance of theKeylessSignerwill try to reuse a previously acquired certificate if the expiration time on the certificate is more thanminSigningCertificateLifetimetime away. Otherwise, it will make a new request (OIDC, Fulcio) to obtain a new updated certificate to use for signing. DefaultminSigningCertificateLifetimeisKeylessSigner.DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME".- Parameters:
minSigningCertificateLifetime- the minimum lifetime of the signing certificate before renewal- Returns:
- this builder
- See Also:
-
build
@CheckReturnValue public KeylessSigner build() throws CertificateException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, InvalidAlgorithmParameterException, SigstoreConfigurationException -
sigstorePublicDefaults
Initialize a builder with the sigstore public good instance tuf root and oidc targets with ecdsa signing. -
sigstoreStagingDefaults
Initialize a builder with the sigstore staging instance tuf root and oidc targets with ecdsa signing.
-