Package dev.sigstore

Class KeylessSigner

java.lang.Object

dev.sigstore.KeylessSigner

All Implemented Interfaces:

AutoCloseable

public class KeylessSigner
extends Object
implements AutoCloseable

A full sigstore keyless signing flow.

Note: the implementation is thread-safe assuming the clients (Fulcio, OIDC, Rekor) are thread-safe

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	KeylessSigner.Builder

Field Summary

Fields

Modifier and Type	Field	Description
static final Duration	DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME	The instance of the KeylessSigner will try to reuse a previously acquired certificate if the expiration time on the certificate is more than minSigningCertificateLifetime time away.

Method Summary

Modifier and Type	Method	Description
static KeylessSigner.Builder	builder()
void	close()
Bundle	sign(byte[] artifactDigest)	Convenience wrapper around sign(List) to sign a single digest
List<Bundle>	sign(List<byte[]> artifactDigests)	Sign one or more artifact digests using the keyless signing workflow.
Bundle	signFile(Path artifact)	Convenience wrapper around sign(List) to accept a single file
Map<Path,Bundle>	signFiles(List<Path> artifacts)	Convenience wrapper around sign(List) to accept files instead of digests

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME

public static final Duration DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME

The instance of the KeylessSigner will try to reuse a previously acquired certificate if the expiration time on the certificate is more than minSigningCertificateLifetime time away. Otherwise, it will make a new request (OIDC, Fulcio) to obtain a new updated certificate to use for signing. This is a default value for the remaining lifetime of the signing certificate that is considered good enough.

Method Details

close

public void close()

Specified by:

close in interface AutoCloseable

builder

@CheckReturnValue
public static KeylessSigner.Builder builder()

sign

@CheckReturnValue
public List<Bundle> sign(List<byte[]> artifactDigests)
                  throws KeylessSignerException

Sign one or more artifact digests using the keyless signing workflow. The oidc/fulcio dance to obtain a signing certificate will only occur once. The same ephemeral private key will be used to sign all artifacts. This method will renew certificates as they expire.

Parameters:

artifactDigests - sha256 digests of the artifacts to sign.

Returns:

a list of keyless singing results.

Throws:

KeylessSignerException

sign

@CheckReturnValue
public Bundle sign(byte[] artifactDigest)
            throws KeylessSignerException

Convenience wrapper around sign(List) to sign a single digest

Parameters:

artifactDigest - sha256 digest of the artifacts to sign.

Returns:

a keyless singing results.

Throws:

KeylessSignerException

signFiles

@CheckReturnValue
public Map<Path,Bundle> signFiles(List<Path> artifacts)
                           throws KeylessSignerException

Convenience wrapper around sign(List) to accept files instead of digests

Parameters:

artifacts - list of the artifacts to sign.

Returns:

a map of artifacts and their keyless singing results.

Throws:

KeylessSignerException

signFile

@CheckReturnValue
public Bundle signFile(Path artifact)
                throws KeylessSignerException

Convenience wrapper around sign(List) to accept a single file

Parameters:

artifact - the artifacts to sign

Returns:

a sigstore bundle

Throws:

KeylessSignerException