Table of Contents

Class Signer

Namespace
Sigstore.Signing
Assembly
Sigstore.dll

Primary public entry point for Sigstore keyless signing.

public sealed class Signer
Inheritance
Signer
Inherited Members

Constructors

Signer(SigningPipeline, ITufClient, string, ILogger<Signer>)

Creates a signer.

public Signer(SigningPipeline pipeline, ITufClient tufClient, string oidcAudience, ILogger<Signer> logger)

Parameters

pipeline SigningPipeline

Signing pipeline.

tufClient ITufClient

TUF client used when no explicit trusted root is supplied.

oidcAudience string

OIDC audience string. Defaults to "sigstore" (Public Good Instance).

logger ILogger<Signer>

Logger.

Methods

SignAsync(byte[], string?, CancellationToken)

Signs raw artifact bytes using a caller-provided trusted root JSON. Produces a message_signature bundle.

public Task<SigningResult> SignAsync(byte[] artifact, string? trustedRootJson, CancellationToken cancellationToken)

Parameters

artifact byte[]

Artifact bytes to sign.

trustedRootJson string

Trusted root JSON. When null, the Public Good TUF flow is used.

cancellationToken CancellationToken

Cancellation token.

Returns

Task<SigningResult>

Signing result containing the bundle JSON and signer identity.

SignAsync(byte[], CancellationToken)

Signs raw artifact bytes using the Public Good trusted root fetched via TUF. Produces a message_signature bundle.

public Task<SigningResult> SignAsync(byte[] artifact, CancellationToken cancellationToken)

Parameters

artifact byte[]

Artifact bytes to sign.

cancellationToken CancellationToken

Cancellation token.

Returns

Task<SigningResult>

Signing result containing the bundle JSON and signer identity.

SignBatchAsync(IEnumerable<byte[]>, CancellationToken)

Signs multiple artifacts in a single batch, reusing one OIDC token and Fulcio certificate across all artifacts. Each artifact gets its own Rekor entry and bundle. Produces message_signature bundles.

public Task<IReadOnlyList<SigningResult>> SignBatchAsync(IEnumerable<byte[]> artifacts, CancellationToken cancellationToken)

Parameters

artifacts IEnumerable<byte[]>

Artifact byte arrays to sign.

cancellationToken CancellationToken

Cancellation token.

Returns

Task<IReadOnlyList<SigningResult>>

One SigningResult per artifact, in input order.

SignDsseAsync(byte[], string, string?, CancellationToken)

Signs an arbitrary payload within a DSSE envelope using a caller-provided trusted root JSON.

public Task<SigningResult> SignDsseAsync(byte[] payload, string payloadType, string? trustedRootJson, CancellationToken cancellationToken)

Parameters

payload byte[]

Payload bytes.

payloadType string

Content-type of the payload.

trustedRootJson string

Trusted root JSON. When null, the Public Good TUF flow is used.

cancellationToken CancellationToken

Cancellation token.

Returns

Task<SigningResult>

Signing result containing the bundle JSON and signer identity.

SignDsseAsync(byte[], string, CancellationToken)

Signs an arbitrary payload within a DSSE envelope using the Public Good trusted root fetched via TUF.

public Task<SigningResult> SignDsseAsync(byte[] payload, string payloadType, CancellationToken cancellationToken)

Parameters

payload byte[]

Payload bytes.

payloadType string

Content-type of the payload (e.g. "application/vnd.in-toto+json").

cancellationToken CancellationToken

Cancellation token.

Returns

Task<SigningResult>

Signing result containing the bundle JSON and signer identity.

Edit this page