A streamlined attestation framework for generating, signing, and uploading in-toto attestations as part of a software supply chain.
STAMP collects evidence from your build (git state, file hashes, command output, CI context, EC2 metadata, JWT/OIDC tokens, SBOMs, Go build provenance), packages it as a signed in-toto statement, and optionally uploads it to a Rekor transparency log so downstream consumers can verify what was built, where, and how.
- Multiple attestor types out of the box: git, file, command, github-workflow, go-builder (SLSA v1 provenance), ec2, jwt, sbom.
- Pluggable signing — local key files or keyless via Sigstore Fulcio, with OIDC tokens sourced from GitHub Actions, SPIRE, or a token file.
- Workflows — declare reusable attestation pipelines in YAML and run them by name, by tag, or by glob pattern.
- Collection envelopes bundle multiple attestations into a single signed statement with aggregated subjects.
- Rekor integration for upload, fetch, and verify against a transparency log.
- Use it as a CLI or a Go library — the
pkg/operationsAPI is a stable surface for embedding attestation generation inside other tools.
Download the appropriate binary for your platform from the releases page.
git clone https://github.com/thomsonreuters/stamp.git
cd stamp
go build -o stamp ./cmdThe build produces a single binary named stamp. Move it onto your
PATH.
Generate a signed attestation of the current git repository state using a local key:
# 1. Generate a signing key (one-time setup)
stamp generate-key --type ecdsa --output ./signing
# 2. Produce a signed git attestation, persisted to disk
stamp run \
--attestor git \
--signer key \
--private-key ./signing.key \
--persist \
--template './attestations/${attestor}-${timestamp}.json'The result is a signed in-toto DSSE envelope on stdout and on disk, containing the commit hash, repository state, and a SHA256-rooted subject.
To upload to a transparency log:
stamp run \
--attestor git \
--signer fulcio --github \
--rekor --rekor-upload individualVerify any attestation:
stamp verify ./attestations/git-*.json --rekorFor a full walkthrough, start with the first-attestation tutorial.
Documentation follows the Diataxis framework. Pick the quadrant that matches what you're trying to do:
| You want to ... | Read ... |
|---|---|
| Learn the tool by following a worked example | Tutorials |
| Solve a specific problem (sign with X, upload to Y) | How-to guides |
| Look up a flag, config key, attestor, or API | Reference |
| Understand how the framework is put together | Explanation |
The top-level docs landing page has the full index.
STAMP is developed by Thomson Reuters and licensed under Apache 2.0.
- Source: this repository
- Issues / bug reports: open an issue on the repository
- Coding conventions and contributor guide:
docs/how-to/contributing/
Contributions are welcome. See CONTRIBUTING.md for how to set up your environment, the expected workflow, and the checks to run before opening a pull request.
To report a security vulnerability, follow the process in SECURITY.md. Please do not open public issues for security problems.
Apache License 2.0. See LICENSE and the copyright headers in individual source files.