Package dev.sigstore

Class KeylessSigner

java.lang.Object

dev.sigstore.KeylessSigner

All Implemented Interfaces:

AutoCloseable

public class KeylessSigner
extends Object
implements AutoCloseable

A full sigstore keyless signing flow.

Note: the implementation is thread-safe assuming the clients (Fulcio, OIDC, Rekor) are thread-safe

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	KeylessSigner.Builder

Field Summary

Fields

Modifier and Type	Field	Description
static final String	DEFAULT_INTOTO_PAYLOAD_TYPE
static final Duration	DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME	The instance of the KeylessSigner will try to reuse a previously acquired certificate if the expiration time on the certificate is more than minSigningCertificateLifetime time away.

Method Summary

Modifier and Type	Method	Description
Bundle	attest(String payload)
static KeylessSigner.Builder	builder()
void	close()
Bundle	sign(byte[] artifactDigest)	Convenience wrapper around sign(List) to sign a single digest
List<Bundle>	sign(List<byte[]> artifactDigests)	Sign one or more artifact digests using the keyless signing workflow.
Bundle	signFile(Path artifact)	Convenience wrapper around sign(List) to accept a single file
Map<Path,Bundle>	signFiles(List<Path> artifacts)	Convenience wrapper around sign(List) to accept files instead of digests

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME

public static final Duration DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME

The instance of the KeylessSigner will try to reuse a previously acquired certificate if the expiration time on the certificate is more than minSigningCertificateLifetime time away. Otherwise, it will make a new request (OIDC, Fulcio) to obtain a new updated certificate to use for signing. This is a default value for the remaining lifetime of the signing certificate that is considered good enough.

DEFAULT_INTOTO_PAYLOAD_TYPE

public static final String DEFAULT_INTOTO_PAYLOAD_TYPE

See Also:

• Constant Field Values

Method Details

close

public void close()

Specified by:

close in interface AutoCloseable

builder

@CheckReturnValue
public static KeylessSigner.Builder builder()

sign

@CheckReturnValue
public List<Bundle> sign(List<byte[]> artifactDigests)
                  throws KeylessSignerException

Sign one or more artifact digests using the keyless signing workflow. The oidc/fulcio dance to obtain a signing certificate will only occur once. The same ephemeral private key will be used to sign all artifacts. This method will renew certificates as they expire.

Parameters:

artifactDigests - sha256 digests of the artifacts to sign.

Returns:

a list of keyless singing results.

Throws:

KeylessSignerException

sign

@CheckReturnValue
public Bundle sign(byte[] artifactDigest)
            throws KeylessSignerException

Convenience wrapper around sign(List) to sign a single digest

Parameters:

artifactDigest - sha256 digest of the artifacts to sign.

Returns:

a keyless singing results.

Throws:

KeylessSignerException

signFiles

@CheckReturnValue
public Map<Path,Bundle> signFiles(List<Path> artifacts)
                           throws KeylessSignerException

Convenience wrapper around sign(List) to accept files instead of digests

Parameters:

artifacts - list of the artifacts to sign.

Returns:

a map of artifacts and their keyless singing results.

Throws:

KeylessSignerException

signFile

@CheckReturnValue
public Bundle signFile(Path artifact)
                throws KeylessSignerException

Convenience wrapper around sign(List) to accept a single file

Parameters:

artifact - the artifacts to sign

Returns:

a sigstore bundle

Throws:

KeylessSignerException

attest

public Bundle attest(String payload)
              throws KeylessSignerException

Throws:

KeylessSignerException