A minimal TypeScript implementation of Sigstore verification, optimized for browser compatibility.
This is a browser-compatible alternative to sigstore-js that focuses on verification functionality needed for secure software updates in browser environments.
Caution
This library has not received an independent security audit. Maintenance is performed by volunteers, and the project is not officially supported or endorsed by the Freedom of the Press Foundation.
- Full Sigstore Verification: Complete verification of Sigstore bundles including certificate chains, transparency logs, and timestamps
- Browser-First: Designed for web browsers using the Web Crypto API
- TUF Integration: Secure trusted root updates via The Update Framework
- Policy Verification: Flexible identity and claim verification adapted from sigstore-python
- Multiple Bundle Formats: Supports Sigstore bundle versions 0.1, 0.2, and 0.3
- Multiple Key Types: RSA, ECDSA, and Ed25519 signature verification via Web Crypto API
- Minimal Dependencies: Only depends on @freedomofpress/crypto-browser, @freedomofpress/tuf-browser, and @noble/curves
npm install @freedomofpress/sigstore-browserimport { SigstoreVerifier } from '@freedomofpress/sigstore-browser';
// Initialize the verifier
const verifier = new SigstoreVerifier();
// Load the Sigstore trusted root via TUF (recommended)
await verifier.loadSigstoreRootWithTUF();
// Or load a trusted root directly
// await verifier.loadSigstoreRoot(trustedRootJson);
// Verify an artifact
const bundle = JSON.parse(bundleJsonString);
const artifactData = new Uint8Array(/* artifact bytes */);
const verified = await verifier.verifyArtifact(
'[email protected]', // Expected signer identity (SAN)
'https://accounts.google.com', // Expected OIDC issuer
bundle,
artifactData
);const verifier = new SigstoreVerifier({
tlogThreshold: 1, // Minimum transparency log entries required (default: 1)
ctlogThreshold: 1, // Minimum SCTs required (default: 1)
tsaThreshold: 0, // Minimum TSA timestamps required (default: 0)
});The verifyArtifact method performs the following checks:
- Identity Verification: Certificate SAN matches the expected identity
- Issuer Verification: Certificate OIDC issuer matches the expected issuer
- Certificate Chain: Leaf certificate chains to a trusted Fulcio CA
- SCT Verification: Signed Certificate Timestamps from CT logs
- Inclusion Promise/Proof: Rekor transparency log inclusion
- Merkle Tree Verification: Inclusion proof validation (for v0.2+ bundles)
- TLog Body Verification: Entry body matches bundle content
- TSA Timestamp Verification: RFC 3161 timestamp verification (if configured)
- Signature Verification: Artifact signature using certificate's public key
# Install dependencies
npm install
# Build the project
npm run build
# Run tests (browser environment via Playwright)
npm test
# Lint and format
npm run lintThis library is part of a family of browser-compatible security libraries:
- @freedomofpress/tuf-browser - Browser-compatible TUF client
- @freedomofpress/crypto-browser - Browser-compatible cryptographic primitives
Apache License 2.0 - see LICENSE file for details. Portions of this package incorporate code from sigstore-js and sigstore-python.
This project is based on the Sigstore specification and adapted from: