Class: Sigstore::Signer

Inherits:

Object

• Object
• Sigstore::Signer

Includes:

Loggable

Defined in:

lib/sigstore/signer.rb

Instance Method Summary

• #initialize(jwt:, trusted_root:) ⇒ Signer constructor

  A new instance of Signer.

• #sign(payload) ⇒ Object

Methods included from Loggable

included, #logger

Constructor Details

#initialize(jwt:, trusted_root:) ⇒ Signer

Returns a new instance of Signer.

# File 'lib/sigstore/signer.rb', line 28

def initialize(jwt:, trusted_root:)
  @identity_token = OIDC::IdentityToken.new(jwt)
  @trusted_root = trusted_root

  @verifier = Verifier.for_trust_root(trust_root: @trusted_root)
end

Instance Method Details

#sign(payload) ⇒ Object

# File 'lib/sigstore/signer.rb', line 35

def sign(payload)
  # 2) generate a keypair
  keypair = generate_keypair
  # 3) generate a CreateSigningCertificateRequest
  csr = generate_csr(keypair)
  # 4) get a cert chain from fulcio
  leaf = fetch_cert(csr)
  # 5) verify returned cert chain
  verify_chain(leaf)
  # 6) sign the payload
  signature = sign_payload(payload, keypair)
  # 7) send hash of signature to timestamping service
  timestamp_verification_data = submit_signature_hash_to_timstamping_service(signature)
  # 8) submit signed metadata to transparency service
  hashed_input = Common::V1::HashOutput.new
  hashed_input.algorithm = Common::V1::HashAlgorithm::SHA2_256
  hashed_input.digest = OpenSSL::Digest("SHA256").digest(payload)
  tlog_entry = submit_signed_metadata_to_transparency_service(signature, leaf, hashed_input)
  # 9) perform verification

  bundle = collect_bundle(leaf, [tlog_entry], timestamp_verification_data, hashed_input, signature)
  verify(payload, bundle)

  bundle
end