Source: sigstore-go
Section: golang
Priority: optional
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Uploaders:
 Simon Josefsson <simon@josefsson.org>,
Rules-Requires-Root: no
Build-Depends:
 debhelper-compat (= 13),
 dh-sequence-golang,
 golang-any,
 golang-github-digitorus-timestamp-dev,
 golang-github-go-openapi-runtime-dev,
 golang-github-go-openapi-strfmt-dev,
 golang-github-go-openapi-swag-dev,
 golang-github-google-certificate-transparency-dev,
 golang-github-in-toto-attestation-dev,
 golang-github-in-toto-in-toto-golang-dev,
 golang-github-secure-systems-lab-go-securesystemslib-dev,
 golang-github-sigstore-protobuf-specs-dev (>> 0.4.1~),
 golang-github-sigstore-rekor-dev (>> 1.3.6-2~),
 golang-github-sigstore-sigstore-dev (>> 1.8.10-2~),
 golang-github-sigstore-timestamp-authority-dev,
 golang-github-stretchr-testify-dev,
 golang-github-theupdateframework-go-tuf-dev (>> 2.0.2~),
 golang-golang-x-crypto-dev,
 golang-golang-x-mod-dev,
 golang-google-protobuf-dev,
 help2man <!nodoc>,
Testsuite: autopkgtest-pkg-go
Standards-Version: 4.7.2
Vcs-Browser: https://salsa.debian.org/go-team/packages/sigstore-go
Vcs-Git: https://salsa.debian.org/go-team/packages/sigstore-go.git
Homepage: https://github.com/sigstore/sigstore-go
XS-Go-Import-Path: github.com/sigstore/sigstore-go

Package: sigstore-go
Architecture: any
Depends:
 ${misc:Depends},
 ${shlibs:Depends},
Built-Using:
 ${misc:Built-Using},
Static-Built-Using:
 ${misc:Static-Built-Using},
Description: Sigstore signing and verification (program)
 A client library for Sigstore (https://www.sigstore.dev/), written in
 Go. Features:
 .
  * Signing and verification of Sigstore bundles
    (https://github.com/sigstore/protobuf-
    specs/blob/main/protos/sigstore_bundle.proto) compliant with Sigstore
    Client Spec
  * Verification of raw Sigstore signatures by creating bundles for them
    (see conformance tests (/cmd/conformance/main.go) for example)
  * Signing and verifying with a Timestamp Authority (TSA)
  * Signing and verifying (offline or online) with Rekor (Artifact
    Transparency Log)
  * Structured verification results including certificate metadata
  * TUF support
  * Verification support for custom trusted root
    (https://github.com/sigstore/protobuf-
    specs/blob/main/protos/sigstore_trustroot.proto)
  * Basic CLI and examples
 .
 For an example of how to use this library, see the verification
 documentation (/docs/verification.md), the CLI cmd/sigstore-go
 (/cmd/sigstore-go/main.go). Note that the CLI
 is to demonstrate how to use the library, and not intended as a fully-
 featured Sigstore CLI like cosign (https://github.com/sigstore/cosign).
 .
 Background
 .
 Sigstore already has a canonical Go client implementation, cosign
 (https://github.com/sigstore/cosign), which was developed with a focus
 on container image signing/verification. It has a rich CLI and a long
 legacy of features and development. sigstore-go is a more minimal and
 friendly API for integrating Go code with Sigstore, with a focus on the
 newly specified data structures in sigstore/protobuf-specs
 (https://github.com/sigstore/protobuf-specs). sigstore-go attempts to
 minimize the dependency tree for simple signing and verification tasks,
 omitting KMS support and container image verification.
 .
 This package contains the binaries.

Package: golang-github-sigstore-sigstore-go-dev
Architecture: all
Multi-Arch: foreign
Breaks:
 cosign (<< 2.4.3~),
Depends:
 golang-github-digitorus-pkcs7-dev,
 golang-github-digitorus-timestamp-dev,
 golang-github-go-openapi-runtime-dev,
 golang-github-go-openapi-strfmt-dev,
 golang-github-go-openapi-swag-dev,
 golang-github-google-certificate-transparency-dev,
 golang-github-in-toto-attestation-dev,
 golang-github-in-toto-in-toto-golang-dev,
 golang-github-secure-systems-lab-go-securesystemslib-dev,
 golang-github-sigstore-protobuf-specs-dev (>> 0.4.1~),
 golang-github-sigstore-rekor-dev (>> 1.3.6-2~),
 golang-github-sigstore-sigstore-dev (>> 1.8.10-2~),
 golang-github-sigstore-timestamp-authority-dev,
 golang-github-stretchr-testify-dev,
 golang-github-theupdateframework-go-tuf-dev (>> 2.0.2~),
 golang-golang-x-crypto-dev,
 golang-golang-x-mod-dev,
 golang-google-protobuf-dev,
 ${misc:Depends},
Description: Sigstore signing and verification (Go library)
 A client library for Sigstore (https://www.sigstore.dev/), written in
 Go. Features:
 .
  * Signing and verification of Sigstore bundles
    (https://github.com/sigstore/protobuf-
    specs/blob/main/protos/sigstore_bundle.proto) compliant with Sigstore
    Client Spec
  * Verification of raw Sigstore signatures by creating bundles for them
    (see conformance tests (/cmd/conformance/main.go) for example)
  * Signing and verifying with a Timestamp Authority (TSA)
  * Signing and verifying (offline or online) with Rekor (Artifact
    Transparency Log)
  * Structured verification results including certificate metadata
  * TUF support
  * Verification support for custom trusted root
    (https://github.com/sigstore/protobuf-
    specs/blob/main/protos/sigstore_trustroot.proto)
  * Basic CLI and examples
 .
 For an example of how to use this library, see the verification
 documentation (/docs/verification.md), the CLI cmd/sigstore-go
 (/cmd/sigstore-go/main.go). Note that the CLI
 is to demonstrate how to use the library, and not intended as a fully-
 featured Sigstore CLI like cosign (https://github.com/sigstore/cosign).
 .
 Background
 .
 Sigstore already has a canonical Go client implementation, cosign
 (https://github.com/sigstore/cosign), which was developed with a focus
 on container image signing/verification. It has a rich CLI and a long
 legacy of features and development. sigstore-go is a more minimal and
 friendly API for integrating Go code with Sigstore, with a focus on the
 newly specified data structures in sigstore/protobuf-specs
 (https://github.com/sigstore/protobuf-specs). sigstore-go attempts to
 minimize the dependency tree for simple signing and verification tasks,
 omitting KMS support and container image verification.
 .
 This package contains the Go library.
