A client library for Witness, written in Go.
This library is currently pre-1.0 and therefore the API may be subject to breaking changes.
- Creation and signing of in-toto attestations
- Verification of in-toto attestations and associated signatures with:
- Witness policy engine
- OPA Rego policy language
- A growing list of attestor types defined under a common interface
- A selection of attestation sources to search for attestation collections
- Resilient Fulcio signer with automatic retry logic and improved error handling for GitHub Actions environments
For more detail regarding the library itself, we recommend viewing pkg.go.dev. For the documentation of the witness project, please view the main witness repository.
In order to effectively contribute to this library, you will need:
- A Unix-compatible Operating System
- GNU Make
- Go 1.19
The Fulcio signer provides certificate-based signing using the Sigstore Fulcio certificate authority. It includes enhanced reliability features for CI/CD environments:
- GitHub Actions OIDC Token Fetching: Automatic retry with exponential backoff (up to 3 attempts) for transient network issues
- Fulcio Certificate Creation: Resilient certificate requests with exponential backoff for service unavailability
- Smart Error Handling: Non-retryable errors (authentication, authorization) are detected and fail fast
- Comprehensive validation of OIDC tokens and certificate responses
- Detailed error messages with context for troubleshooting
- Detection and handling of common failure scenarios (HTML responses, empty responses, invalid tokens)
- Updated from SHA256 to SHA384 cryptographic hash for enhanced security
- Validation of certificate chains to ensure all required certificates are present
- Enhanced logging for certificate processing steps while protecting sensitive information
This repository uses Go tests for testing. You can run these tests by executing make test.