The highest tagged major version is
README
¶
sigspy
Extract and parse certificate extensions from Sigstore-signed certificates.
Installation
Quick install (latest)
curl -sL https://github.com/actionutils/sigspy/releases/latest/download/install.sh | \
(tmpfile=$(mktemp); cat > "$tmpfile"; \
gh attestation verify --repo=actionutils/sigspy --signer-repo=actionutils/trusted-go-releaser "$tmpfile" && \
sh "$tmpfile"; rm -f "$tmpfile")
The install.sh script is generated by binstaller.
Quick install (specific version)
SIGSPY_VERSION=v1.0.0
curl -sL "https://github.com/actionutils/sigspy/releases/download/${SIGSPY_VERSION}/install.sh" | \
(tmpfile=$(mktemp); cat > "$tmpfile"; \
gh attestation verify --repo=actionutils/sigspy --signer-repo=actionutils/trusted-go-releaser "$tmpfile" && \
sh "$tmpfile"; rm -f "$tmpfile")
GitHub Actions
- uses: binary-install/setup-x@v1
with:
script_url: https://github.com/actionutils/sigspy/releases/latest/download/install.sh
gh_attestations_verify_flags: --repo=actionutils/sigspy --signer-repo=actionutils/trusted-go-releaser
Using setup-x action for binary installation.
Using Go
go install github.com/actionutils/sigspy@latest
Usage
sigspy -input-format=<format> < certificate_file
Formats:
pkcs7(default) - PEM-encoded PKCS7 signatures (e.g., Git signatures)der- Raw binary certificate datapem- PEM-encoded certificates (-----BEGIN CERTIFICATE-----)
Examples
# Parse gitsign signature
git cat-file tag v1.0.0 | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sigspy | jq .
# Parse GitHub attestation
gh attestation verify artifact.txt --owner myorg --format json | \
jq -r '.[0].attestation.bundle.verificationMaterial.certificate.rawBytes' | \
base64 -d | sigspy -input-format=der | jq .
# Parse PEM certificate (decode base64 if needed)
curl -sL https://github.com/actionutils/sigspy/releases/download/v1.0.0/checksums.txt.pem | base64 -d | sigspy -input-format=pem | jq .
# Parse certificate from attestation JSONL
gh attestation download artifact.txt --owner myorg
cat *.jsonl | jq -r '.verificationMaterial.tlogEntries[0].canonicalizedBody' | \
base64 -d | jq -r '.spec.signatures[0].verifier' | base64 -d | sigspy -input-format=pem | jq .
Output
JSON containing parsed Fulcio certificate extensions:
{
"Issuer": "https://token.actions.githubusercontent.com",
"GithubWorkflowTrigger": "push",
"GithubWorkflowSHA": "91cce99aa1af750c246b622e3341a890900a3026",
"GithubWorkflowName": "Release",
"GithubWorkflowRepository": "actionutils/sigspy",
"GithubWorkflowRef": "refs/heads/main",
"BuildSignerURI": "https://github.com/actionutils/trusted-go-releaser/.github/workflows/trusted-release-workflow.yml@refs/tags/v0",
"BuildSignerDigest": "18dbcad44783005261a22d90382dd03adeaefc12",
"RunnerEnvironment": "github-hosted",
"SourceRepositoryURI": "https://github.com/actionutils/sigspy",
"SourceRepositoryDigest": "91cce99aa1af750c246b622e3341a890900a3026",
"SourceRepositoryRef": "refs/heads/main",
"SourceRepositoryIdentifier": "967219080",
"SourceRepositoryOwnerURI": "https://github.com/actionutils",
"SourceRepositoryOwnerIdentifier": "206433623",
"BuildConfigURI": "https://github.com/actionutils/sigspy/.github/workflows/release.yml@refs/heads/main",
"BuildConfigDigest": "91cce99aa1af750c246b622e3341a890900a3026",
"BuildTrigger": "push",
"RunInvocationURI": "https://github.com/actionutils/sigspy/actions/runs/16041355680/attempts/1",
"SourceRepositoryVisibilityAtSigning": "public"
}
Author
 |
haya14busa  |
Documentation
¶
There is no documentation for this package.
Source Files
Click to show internal directories.
Click to hide internal directories.