Sigstore/cosign key-pair primitives, native via :public_key (ECDSA P-256, no shelling out).
Provides key generation (PEM, the format cosign reads and writes), detached signing and
verification of a payload, and construction of the cosign simple signing payload that binds
an image's manifest digest. Keyless signing (Fulcio/Rekor) is a future opt-in.
Spec: cosign SIGNATURE_SPEC.
Summary
Functions
Generates an ECDSA P-256 keypair as PEM strings (%{private: ..., public: ...}).
Builds the cosign simple-signing payload binding digest. opts[:reference] sets the
docker-reference; opts[:annotations] populates the optional section.
Resolves a key argument to a private-key record.
Resolves a key argument to a public-key record.
Signs payload with key's private key, returning a base64 DER ECDSA signature.
Verifies a base64 DER signature over payload against key's public key.
Types
Functions
@spec generate_key() :: keypair()
Generates an ECDSA P-256 keypair as PEM strings (%{private: ..., public: ...}).
@spec payload( Stevedore.Digest.t(), keyword() ) :: binary()
Builds the cosign simple-signing payload binding digest. opts[:reference] sets the
docker-reference; opts[:annotations] populates the optional section.
Resolves a key argument to a private-key record.
Resolves a key argument to a public-key record.
Signs payload with key's private key, returning a base64 DER ECDSA signature.
Verifies a base64 DER signature over payload against key's public key.