This is a tiny go project inteded for use in the web browser WASM that does key generation for signing artifacts with sigstore/cosign. This project consists of code respectfully stolen from the containers/image project, and some glue code for tying it in with WASM and JS.
The WASM built from this project is used in production in the BlueBuild Workshop.
devbox shell # optional, you can also manually install tinygo
tinygo build -o cosign.wasm -target wasm main.go- Get the supplies, two options:
- Manually
- Build the project into WASM using the command above.
- Get the
wasm_exec.jsfile using the following commandcp "$(tinygo env GOROOT)/misc/wasm/wasm_exec.js" ./.
- From GitHub releases
- Download the
cosign.wasmandwasm_exec.jsfiles from the latest GitHub release.
- Download the
- Manually
- Copy these files into the folder for static files in your web development project.
- Add and adapt the following code into your project:
- Add
<script src="/wasm_exec.js" defer></script>in the<head> - In another script, copy the following boilerplate:
const go = new Go(); // You can prefetch the WASM file, if you want to WebAssembly.instantiateStreaming(fetch("/cosign.wasm"), go.importObject).then( async (obj) => { const wasm = obj.instance; go.run(wasm); // The Go code sets these global variables // Make sure to empty them after use to prevent key leakage console.log(cosignPublicKey); console.log(cosignPrivateKey); } );
- Add