sigspy

sigspy

Extract and parse certificate extensions from Sigstore-signed certificates.

Installation

Quick install (latest)

curl -sL https://github.com/actionutils/sigspy/releases/latest/download/install.sh | \
  (tmpfile=$(mktemp); cat > "$tmpfile"; \
   gh attestation verify --repo=actionutils/sigspy --signer-repo=actionutils/trusted-go-releaser "$tmpfile" && \
   sh "$tmpfile"; rm -f "$tmpfile")

The install.sh script is generated by binstaller.

Quick install (specific version)

SIGSPY_VERSION=v1.0.0
curl -sL "https://github.com/actionutils/sigspy/releases/download/${SIGSPY_VERSION}/install.sh" | \
  (tmpfile=$(mktemp); cat > "$tmpfile"; \
   gh attestation verify --repo=actionutils/sigspy --signer-repo=actionutils/trusted-go-releaser "$tmpfile" && \
   sh "$tmpfile"; rm -f "$tmpfile")

GitHub Actions

- uses: binary-install/setup-x@v1
  with:
    script_url: https://github.com/actionutils/sigspy/releases/latest/download/install.sh
    gh_attestations_verify_flags: --repo=actionutils/sigspy --signer-repo=actionutils/trusted-go-releaser

Using setup-x action for binary installation.

Using Go

go install github.com/actionutils/sigspy@latest

Usage

sigspy [-input-format=auto|pkcs7|der|pem] < input

Formats:

• auto (default) - auto-detect PEM/DER and PKCS7/CMS. If PKCS7/CMS, emit CMS + Rekor; if certificate, emit Fulcio extensions + basic cert info.
• pkcs7 - treat input as PKCS7/CMS (PEM with BEGIN PKCS7 or SIGNED MESSAGE, or raw DER)
• der - treat input as a certificate (DER)
• pem - treat input as a certificate (PEM)

Examples

# Parse gitsign signature
git cat-file tag v1.0.0 | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sigspy | jq .

# Parse GitHub attestation
gh attestation verify artifact.txt --owner myorg --format json | \
  jq -r '.[0].attestation.bundle.verificationMaterial.certificate.rawBytes' | \
  base64 -d | sigspy -input-format=der | jq .

# Parse PEM certificate (decode base64 if needed)
curl -sL https://github.com/actionutils/sigspy/releases/download/v1.0.0/checksums.txt.pem | base64 -d | sigspy -input-format=pem | jq .

# Parse certificate from attestation JSONL
gh attestation download artifact.txt --owner myorg
cat *.jsonl | jq -r '.verificationMaterial.tlogEntries[0].canonicalizedBody' | \
  base64 -d | jq -r '.spec.signatures[0].verifier' | base64 -d | sigspy -input-format=pem | jq .

Output

sigspy now returns a single JSON envelope that is easy to extend and includes:

• certificate: basic x509 summary (subject/issuer/serial/validity/SANs/fingerprint)
• fulcio_extensions: parsed Fulcio OIDs
• cms: when input is PKCS7, signed attributes digest and signature info
• rekor: when available, embedded TransparencyLogEntry (JSON) from OID 1.3.6.1.4.1.57264.3.1
• ct: parsed CT Precertificate SCTs from OID 1.3.6.1.4.1.11129.2.4.2

Example (trimmed):

{
  "version": "1",
  "input": { "detectedFormat": "pkcs7" },
  "certificate": {
    "subject": { "commonName": "sigstore" },
    "issuer": { "commonName": "Fulcio" },
    "serialNumberHex": "01AB…",
    "notBefore": "2025-01-01T00:00:00Z",
    "notAfter": "2025-01-02T00:00:00Z",
    "sha256FingerprintHex": "A1B2…",
    "publicKeyAlgorithm": "RSA"
  },
  "fulcio_extensions": { "Issuer": "https://token.actions…", "GithubWorkflowSHA": "…" },
  "cms": {
    "hasSignedAttributes": true,
    "signedAttributesDERBase64": "…",
    "signedAttributesSHA256Hex": "…",
    "signatureAlgorithm": "1.2.840.113549.1.1.11",
    "signatureBase64": "…"
  },
  "rekor": {
  "present": true,
  "oid": "1.3.6.1.4.1.57264.3.1",
  "transparencyLogEntry": { "logIndex": 123, "integratedTime": 1700000000, "logId": { "keyId": "…" }, "inclusionProof": { "logIndex": 123, "treeSize": 456, "rootHash": "…", "hashes": ["…"] } }
  }
  ,
  "ct": {
    "precertificateSCTs": [
      { "version": 1, "logIDHex": "…", "timestampMs": 1700000000000, "timestampRFC3339": "2023-11-14T00:00:00Z", "hashAlgorithm": "sha256", "signatureAlgorithm": "ecdsa", "signatureBase64": "…" }
    ]
  }
}

Author

haya14busa