This is a pure Ruby implementation of the sigstore verify
command from the sigstore/cosign project. It is intended to be used as a library in other Ruby projects, in additional to a gem
subcommand. The project also contains a TUF client implementation, given TUF is a part of the sigstore verification flow.
$ gem sigstore_cosign_verify_bundle --bundle a.txt.sigstore \
--certificate-identity https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
a.txt
After checking out the repo, run bin/setup
to install dependencies. Then, run rake test-unit
to run the tests. You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and the created tag, and push the .gem
file to rubygems.org.
Bug reports and pull requests are welcome on GitHub at https://github.com/sigstore/sigstore-ruby.
The gem is available as open source under the terms of the Apache 2.