Table of Contents

Class SigningPipeline

Namespace
Sigstore.Signing
Assembly
Sigstore.dll

Orchestrates the 10-step Sigstore keyless signing pipeline.

public sealed class SigningPipeline
Inheritance
SigningPipeline
Inherited Members

Constructors

SigningPipeline(IOidcTokenProvider, IFulcioClient, IRekorClient, ICertificateVerifier, ILogger<SigningPipeline>)

Creates a signing pipeline.

public SigningPipeline(IOidcTokenProvider tokenProvider, IFulcioClient fulcioClient, IRekorClient rekorClient, ICertificateVerifier certificateVerifier, ILogger<SigningPipeline> logger)

Parameters

tokenProvider IOidcTokenProvider
fulcioClient IFulcioClient
rekorClient IRekorClient
certificateVerifier ICertificateVerifier
logger ILogger<SigningPipeline>

Methods

RunAsync(byte[], string?, string, TrustedRoot, CancellationToken)

Runs the signing pipeline end-to-end.

public Task<SigningResult> RunAsync(byte[] artifact, string? payloadType, string oidcAudience, TrustedRoot trustedRoot, CancellationToken cancellationToken)

Parameters

artifact byte[]

Raw artifact bytes (or DSSE payload).

payloadType string

null for message_signature; content-type string for DSSE.

oidcAudience string

OIDC audience for the token request.

trustedRoot TrustedRoot

Trusted root to validate Fulcio chain and Rekor SET against.

cancellationToken CancellationToken

Cancellation token.

Returns

Task<SigningResult>

Signing result containing the bundle JSON and signer identity.

RunAsync(byte[], string?, string, TrustedRoot, Uri?, HttpClient?, CancellationToken)

Runs the signing pipeline with optional TSA timestamp support. When tsaUrl is non-null, an RFC 3161 timestamp is requested and included in the bundle.

public Task<SigningResult> RunAsync(byte[] artifact, string? payloadType, string oidcAudience, TrustedRoot trustedRoot, Uri? tsaUrl, HttpClient? httpClient, CancellationToken cancellationToken)

Parameters

artifact byte[]
payloadType string
oidcAudience string
trustedRoot TrustedRoot
tsaUrl Uri
httpClient HttpClient
cancellationToken CancellationToken

Returns

Task<SigningResult>

RunBatchAsync(byte[][], string, TrustedRoot, CancellationToken)

Signs multiple artifacts in a single batch, reusing one OIDC token and Fulcio certificate. Each artifact gets its own Rekor entry and bundle.

public Task<IReadOnlyList<SigningResult>> RunBatchAsync(byte[][] artifacts, string oidcAudience, TrustedRoot trustedRoot, CancellationToken cancellationToken)

Parameters

artifacts byte[][]
oidcAudience string
trustedRoot TrustedRoot
cancellationToken CancellationToken

Returns

Task<IReadOnlyList<SigningResult>>
Edit this page