@@ -40,6 +40,76 @@ make test
4040make build-cli
4141```
4242
43+ ## Library Usage
44+
45+ Import the module root directly:
46+
47+ ``` go
48+ import securesbomverifier " github.com/shiftleftcyber/securesbom-verifier"
49+ ```
50+
51+ For CycloneDX embedded signatures:
52+
53+ ``` go
54+ verifier := securesbomverifier.NewVerifier ()
55+
56+ result , err := verifier.VerifyCycloneDXEmbeddedVersioned (
57+ signedSBOM,
58+ string (publicKeyPEM),
59+ securesbomverifier.VerificationV2 ,
60+ )
61+ ```
62+
63+ For SPDX detached signatures:
64+
65+ ``` go
66+ verifier := securesbomverifier.NewVerifier ()
67+
68+ result , err := verifier.VerifySPDXDetachedVersioned (
69+ spdxSBOM,
70+ signatureB64,
71+ string (publicKeyPEM),
72+ securesbomverifier.VerificationV2 ,
73+ )
74+ if err != nil {
75+ if errors.Is (err, securesbomverifier.ErrSignatureFail ) {
76+ // Signature did not verify.
77+ }
78+ }
79+ ```
80+
81+ For digest verification, the current library API is exposed through the lower-level
82+ ` services/digest ` package rather than the root wrapper:
83+
84+ ``` go
85+ import (
86+ digestsigning " github.com/shiftleftcyber/securesbom-verifier/services/digest"
87+ " github.com/shiftleftcyber/securesbom-verifier/verificationkey"
88+ )
89+
90+ validated , err := digestsigning.NewValidator ().ValidateVerifyDigestRequest (
91+ digestsigning.VerifyDigestInput {
92+ KeyID : " offline" ,
93+ HashAlgorithm : " sha256" ,
94+ Digest : digestB64,
95+ Signature : signatureB64,
96+ },
97+ )
98+ if err != nil {
99+ return err
100+ }
101+
102+ err = digestsigning.NewCryptoVerifier ().Verify (
103+ &verificationkey.KeyInfo {
104+ KeyID : " offline" ,
105+ Algorithm : " ES256" ,
106+ PublicKey : string (publicKeyPEM),
107+ },
108+ validated.Digest ,
109+ validated.Signature ,
110+ )
111+ ```
112+
43113## Build Note
44114
45115This project currently relies on ` GOEXPERIMENT=jsonv2 ` , matching the behavior
@@ -110,8 +180,10 @@ CLI archives and a checksum file to the GitHub release.
110180## Examples
111181
112182See [ examples/library/main.go] ( examples/library/main.go ) for a minimal embedding
113- example from another Go service, and [ MIGRATION.md] ( MIGRATION.md ) for a suggested
114- next-step extraction plan from ` sbom-signing-api ` .
183+ example for CycloneDX verification, [ examples/spdx-detached/main.go] ( examples/spdx-detached/main.go )
184+ for SPDX detached verification, [ examples/digest/main.go] ( examples/digest/main.go )
185+ for digest verification, and [ MIGRATION.md] ( MIGRATION.md ) for a suggested next-step
186+ extraction plan from ` sbom-signing-api ` .
115187
116- The example program expects you to provide a signed SBOM path and a public key
117- path at runtime.
188+ The example programs expect you to provide signed content, signatures, and/or a
189+ public key path at runtime depending on the verification mode .
0 commit comments