This is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. It is intended to be used as a library in other Ruby projects, in additional to a gem subcommand. The project also contains a TUF client implementation, given TUF is a part of the sigstore verification flow.
$ gem sigstore_cosign_verify_bundle --bundle a.txt.sigstore \
--certificate-identity https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
a.txtAfter checking out the repo, run bin/setup to install dependencies. Then, run rake test-unit to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and the created tag, and push the .gem file to rubygems.org.
Bug reports and pull requests are welcome on GitHub at https://github.com/sigstore/sigstore-ruby.
The gem is available as open source under the terms of the Apache 2.