Class VerificationPolicy

Namespace: Sigstore.Verification

Assembly: Sigstore.dll

Immutable identity policy for Sigstore bundle verification.

public sealed record VerificationPolicy : IEquatable<VerificationPolicy>

Inheritance: object

VerificationPolicy

Implements: IEquatable<VerificationPolicy>

Inherited Members: object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.ReferenceEquals(object, object)

object.ToString()

Constructors

VerificationPolicy(string, CertificateIdentityMatcher)

Creates a policy.

public VerificationPolicy(string expectedOidcIssuer, CertificateIdentityMatcher certificateIdentityMatcher)

Parameters

expectedOidcIssuer string: Expected OIDC issuer URI (from Fulcio extensions).
certificateIdentityMatcher CertificateIdentityMatcher: Matcher for certificate identity (typically a SAN URI).

Properties

CertificateIdentityMatcher

Matcher applied to certificate identity material.

public CertificateIdentityMatcher CertificateIdentityMatcher { get; }

Property Value

CertificateIdentityMatcher

ExpectedOidcIssuer

Expected OIDC issuer string (for example https://token.actions.githubusercontent.com).

public string ExpectedOidcIssuer { get; }

Property Value

string

Methods

ForExact(string, string)

Requires an exact match for both issuer and identity string.

public static VerificationPolicy ForExact(string issuer, string identity)

Parameters

issuer string: OIDC issuer.
identity string: Exact expected identity (for example SAN URI).

Returns

VerificationPolicy: Immutable policy instance.

ForGitHubActions(string, string, string?)

Builds a GitHub Actions-oriented policy for https://token.actions.githubusercontent.com.

public static VerificationPolicy ForGitHubActions(string repository, string gitRef, string? workflow = null)

Parameters

repository string: Repository in owner/name form.
gitRef string: Git ref (for example refs/heads/main).
workflow string: Optional workflow name; when empty, identity is matched only by repo and ref.

Returns

VerificationPolicy: Immutable policy instance.

ForRegexSubject(string, string)

Requires an exact issuer and a subject that matches a regular expression.

public static VerificationPolicy ForRegexSubject(string issuer, string subjectPattern)

Parameters

issuer string: OIDC issuer.
subjectPattern string: Regular expression applied to the identity string.

Returns

VerificationPolicy: Immutable policy instance.

Table of Contents

Class VerificationPolicy

Constructors

VerificationPolicy(string, CertificateIdentityMatcher)

Parameters

Properties

CertificateIdentityMatcher

Property Value

ExpectedOidcIssuer

Property Value

Methods

ForExact(string, string)

Parameters

Returns

ForGitHubActions(string, string, string?)

Parameters

Returns

ForRegexSubject(string, string)

Parameters

Returns