POST
/api/v1/security/sigstore-verifyVerify a Sigstore / cosign keyless bundle
Deterministically verify a supplied Sigstore bundle: the artifact-digest signature, the Fulcio certificate identity policy (SAN + OIDC issuer + validity), the Rekor RFC-6962 transparency-log inclusion proof, and the signed-entry-timestamp. Fulcio cert and Rekor/TUF log key may be supplied inline or fetched from a public URL (SSRF-guarded). Fail-closed: any fetch/parse error returns an error, never a partial verdict.
Authentication
Send Authorization: Bearer YOUR_API_KEY on every request. Generate API keys at /dashboard/api-keys.
Request body required
Example
{
"orgId": "00000000-0000-0000-0000-000000000000",
"artifactDigestHex": "<SHA-256 digest (64 hex chars) of the sig>",
"signatureB64": "<Base64 signature over the artifact diges>",
"publicKeyPem": "<Raw signing public key (SPKI PEM). Suppl>",
"certificatePem": "<Fulcio signing certificate (PEM) — enabl>",
"oidcIssuer": "<OIDC issuer extracted from the cert's cu>",
"certificateUrl": "https://example.com",
"logEntryB64": "<Canonicalized Rekor log entry (base64) t>",
"inclusionProof": {
"logIndex": 0,
"treeSize": 0,
"rootHash": "string",
"hashes": [
"string"
]
},
"setB64": "<Signed Entry Timestamp (base64) — log-ke>",
"logPublicKeyPem": "<Rekor log public key (PEM) that signs SE>",
"logPublicKeyUrl": "https://example.com",
"identityPolicy": {
"san": "string",
"sanRegex": "string",
"oidcIssuer": "string"
},
"trustedLogRootHex": "<Trusted Rekor tree root (hex) to pin the>",
"requireTransparencyLog": false
}Schema
{
"application/json": {
"schema": {
"type": "object",
"properties": {
"orgId": {
"type": "string",
"format": "uuid",
"pattern": "^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$"
},
"artifactDigestHex": {
"type": "string",
"pattern": "^[0-9a-fA-F]{64}$",
"description": "SHA-256 digest (64 hex chars) of the signed artifact."
},
"signatureB64": {
"type": "string",
"minLength": 1,
"maxLength": 8192,
"description": "Base64 signature over the artifact digest."
},
"publicKeyPem": {
"type": "string",
"minLength": 1,
"maxLength": 8192,
"description": "Raw signing public key (SPKI PEM). Supply this OR certificatePem/certificateUrl."
},
"certificatePem": {
"type": "string",
"minLength": 1,
"maxLength": 16384,
"description": "Fulcio signing certificate (PEM) — enables identity-policy enforcement."
},
"oidcIssuer": {
"type": "string",
"maxLength": 2048,
"description": "OIDC issuer extracted from the cert's custom extension."
},
"certificateUrl": {
"type": "string",
"maxLength": 2048,
"format": "uri",
"description": "Public URL to fetch the Fulcio certificate PEM (SSRF-guarded)."
},
"logEntryB64": {
"type": "string",
"maxLength": 65536,
"description": "Canonicalized Rekor log entry (base64) the inclusion proof covers."
},
"inclusionProof": {
"type": "object",
"properties": {
"logIndex": {
"type": "integer",
"minimum": 0,
"maximum": 9007199254740991
},
"treeSize": {
"type": "integer",
"minimum": 0,
"exclusiveMinimum": true,
"maximum": 9007199254740991
},
"rootHash": {
"type": "string",
"maxLength": 128,
"pattern": "^[0-9a-fA-F]+$"
},
"hashes": {
"maxItems": 64,
"type": "array",
"items": {
"type": "string",
"maxLength": 128,
"pattern": "^[0-9a-fA-F]+$"
}
}
},
"required": [
"logIndex",
"treeSize",
"rootHash",
"hashes"
],
"additionalProperties": false,
"description": "RFC-6962 inclusion proof."
},
"setB64": {
"type": "string",
"maxLength": 8192,
"description": "Signed Entry Timestamp (base64) — log-key signature over the entry."
},
"logPublicKeyPem": {
"type": "string",
"minLength": 1,
"maxLength": 8192,
"description": "Rekor log public key (PEM) that signs SETs / checkpoints."
},
"logPublicKeyUrl": {
"type": "string",
"maxLength": 2048,
"format": "uri",
"description": "Public URL to fetch the Rekor/TUF log public key PEM (SSRF-guarded)."
},
"identityPolicy": {
"type": "object",
"properties": {
"san": {
"type": "string",
"maxLength": 2048
},
"sanRegex": {
"type": "string",
"maxLength": 2048
},
"oidcIssuer": {
"type": "string",
"maxLength": 2048
}
},
"additionalProperties": false,
"description": "Identity the bundle MUST satisfy (requires certificatePem)."
},
"trustedLogRootHex": {
"type": "string",
"maxLength": 128,
"pattern": "^[0-9a-fA-F]+$",
"description": "Trusted Rekor tree root (hex) to pin the inclusion proof against."
},
"requireTransparencyLog": {
"type": "boolean",
"description": "Require transparency-log inclusion (default true)."
}
},
"required": [
"orgId",
"artifactDigestHex",
"signatureB64"
],
"additionalProperties": false
}
}
}Response
200 example
{
"success": true
}All status codes
200Verification result (valid + per-check outcomes + reasons + resolved identity).
400(no description)
401(no description)
403Forbidden — not an org member (NOT_ORG_MEMBER).
429(no description)
Code samples
cURL
curl -X POST \
https://evalguard.ai/api/v1/security/sigstore-verify \
-H "Authorization: Bearer $EVALGUARD_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "orgId": "00000000-0000-0000-0000-000000000000", "artifactDigestHex": "<SHA-256 digest (64 hex chars) of the sig>", "signatureB64": "<Base64 signature over the artifact diges>", "publicKeyPem": "<Raw signing public key (SPKI PEM). Suppl>", "certificatePem": "<Fulcio signing certificate (PEM) — enabl>", "oidcIssuer": "<OIDC issuer extracted from the cert's cu>", "certificateUrl": "https://example.com", "logEntryB64": "<Canonicalized Rekor log entry (base64) t>", "inclusionProof": { "logIndex": 0, "treeSize": 0, "rootHash": "string", "hashes": [ "string" ] }, "setB64": "<Signed Entry Timestamp (base64) — log-ke>", "logPublicKeyPem": "<Rekor log public key (PEM) that signs SE>", "logPublicKeyUrl": "https://example.com", "identityPolicy": { "san": "string", "sanRegex": "string", "oidcIssuer": "string" }, "trustedLogRootHex": "<Trusted Rekor tree root (hex) to pin the>", "requireTransparencyLog": false }'TypeScript
import { EvalGuard } from "@evalguard/sdk";
const client = new EvalGuard({ apiKey: process.env.EVALGUARD_API_KEY });
const response = await client.request({
method: "POST",
path: "/api/v1/security/sigstore-verify",
body: {
"orgId": "00000000-0000-0000-0000-000000000000",
"artifactDigestHex": "<SHA-256 digest (64 hex chars) of the sig>",
"signatureB64": "<Base64 signature over the artifact diges>",
"publicKeyPem": "<Raw signing public key (SPKI PEM). Suppl>",
"certificatePem": "<Fulcio signing certificate (PEM) — enabl>",
"oidcIssuer": "<OIDC issuer extracted from the cert's cu>",
"certificateUrl": "https://example.com",
"logEntryB64": "<Canonicalized Rekor log entry (base64) t>",
"inclusionProof": {
"logIndex": 0,
"treeSize": 0,
"rootHash": "string",
"hashes": [
"string"
]
},
"setB64": "<Signed Entry Timestamp (base64) — log-ke>",
"logPublicKeyPem": "<Rekor log public key (PEM) that signs SE>",
"logPublicKeyUrl": "https://example.com",
"identityPolicy": {
"san": "string",
"sanRegex": "string",
"oidcIssuer": "string"
},
"trustedLogRootHex": "<Trusted Rekor tree root (hex) to pin the>",
"requireTransparencyLog": false
},
});
console.log(response);Python
from evalguard import EvalGuard
import os
client = EvalGuard(api_key=os.environ["EVALGUARD_API_KEY"])
response = client.request(
method="POST",
path="/api/v1/security/sigstore-verify",
body={
"orgId": "00000000-0000-0000-0000-000000000000",
"artifactDigestHex": "<SHA-256 digest (64 hex chars) of the sig>",
"signatureB64": "<Base64 signature over the artifact diges>",
"publicKeyPem": "<Raw signing public key (SPKI PEM). Suppl>",
"certificatePem": "<Fulcio signing certificate (PEM) — enabl>",
"oidcIssuer": "<OIDC issuer extracted from the cert's cu>",
"certificateUrl": "https://example.com",
"logEntryB64": "<Canonicalized Rekor log entry (base64) t>",
"inclusionProof": {
"logIndex": 0,
"treeSize": 0,
"rootHash": "string",
"hashes": [
"string"
]
},
"setB64": "<Signed Entry Timestamp (base64) — log-ke>",
"logPublicKeyPem": "<Rekor log public key (PEM) that signs SE>",
"logPublicKeyUrl": "https://example.com",
"identityPolicy": {
"san": "string",
"sanRegex": "string",
"oidcIssuer": "string"
},
"trustedLogRootHex": "<Trusted Rekor tree root (hex) to pin the>",
"requireTransparencyLog": False
},
)
print(response)Go
package main
import (
"context"
"fmt"
"net/http"
"os"
"strings"
)
func main() {
body := strings.NewReader(`{"orgId":"00000000-0000-0000-0000-000000000000","artifactDigestHex":"<SHA-256 digest (64 hex chars) of the sig>","signatureB64":"<Base64 signature over the artifact diges>","publicKeyPem":"<Raw signing public key (SPKI PEM). Suppl>","certificatePem":"<Fulcio signing certificate (PEM) — enabl>","oidcIssuer":"<OIDC issuer extracted from the cert's cu>","certificateUrl":"https://example.com","logEntryB64":"<Canonicalized Rekor log entry (base64) t>","inclusionProof":{"logIndex":0,"treeSize":0,"rootHash":"string","hashes":["string"]},"setB64":"<Signed Entry Timestamp (base64) — log-ke>","logPublicKeyPem":"<Rekor log public key (PEM) that signs SE>","logPublicKeyUrl":"https://example.com","identityPolicy":{"san":"string","sanRegex":"string","oidcIssuer":"string"},"trustedLogRootHex":"<Trusted Rekor tree root (hex) to pin the>","requireTransparencyLog":false}`)
req, _ := http.NewRequestWithContext(context.Background(), "POST", "https://evalguard.ai/api/v1/security/sigstore-verify", body)
req.Header.Set("Authorization", "Bearer "+os.Getenv("EVALGUARD_API_KEY"))
req.Header.Set("Content-Type", "application/json")
resp, err := http.DefaultClient.Do(req)
if err != nil { panic(err) }
defer resp.Body.Close()
fmt.Println(resp.Status)
}Errors
400401403429