reference-go
v1.0.0Pure-Go SignedReceipts producer and verifier with optional boringcrypto FIPS path. Suitable for sidecars, gateways, and HTTP middleware.
About this artefact
signedreceipts.org/go is the reference Go module. It provides a minimal producer API, a streaming verifier, JCS canonicalisation, and a small x/middleware sub-package that wraps a standard http.Handler and emits a signed receipt per request. The module targets Go 1.22+ and avoids cgo by default so it can be compiled to static binaries for edge deployments.
Operators that need FIPS 140-3 validated cryptography can build with GOEXPERIMENT=boringcrypto; the verifier picks up the boringcrypto crypto/ecdsa path automatically. The module's release tarball is reproducible — GOFLAGS=-trimpath plus a pinned GOTOOLCHAIN ensure the same SHA-256s on every build host.
Manifest
| Path | Size | SHA-256 |
|---|---|---|
go.mod | 0.3 KB | 7bbb2c81a870e23ae3cf161a66eab3311a075e4e143da1913a8b30326b75169c |
receipt.go | 5.4 KB | a72c3711bab252c50181d9f1887d0973bcc8e9945dc61cebb502eee58eb070a4 |
canonical.go | 4.6 KB | 600e603d85e3b4f8f64638c0bd36f9b262a85efa43de3c40c549831956617760 |
verify.go | 8.1 KB | 7c3079abd3b655904f175aa79cbfbdd5e35a9894bd7f0824eece72817844d5b6 |
x/middleware/middleware.go | 3.7 KB | 7946ba4fcf957ae62da0a68f985e8ded1055ee7a7986d68bdab1921100175a4d |
8af4c92d · signed by working-group key wg-2026-03Quick start
go get signedreceipts.org/go@v1.0.0
package main
import (
"context"
sr "signedreceipts.org/go"
)
func main() {
v, _ := sr.NewVerifierFromJWKSURL(context.Background(),
"https://api.cloakapi.io/.well-known/jwks.json")
if err := v.Verify(receiptBytes); err != nil {
panic(err)
}
}
Issues / questions
Bug reports, patches, and security advisories all go to the working-group inbox.
Back to /source/ · related: spec · conformance · implementations