Skip to main content

A tool for signing Python package distributions

Reason this release was yanked:

Missing submodules

Project description

sigstore-python

CI PyPI version

⚠️ This project is not ready for general-purpose use! ⚠️

sigstore is a tool for signing and verifying Python package distributions.

Features

  • Support for signing Python package distributions using an OpenID Connect identity
  • Support for publishing signatures to a Rekor instance
  • Support for verifying signatures on Python package distributions

Installation

sigstore requires Python 3.7 or newer, and can be installed directly via pip:

python -m pip install sigstore

Usage

You can run sigstore as a standalone program, or via python -m:

sigstore --help
python -m sigstore --help

Top-level:

Usage: sigstore [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  sign
  verify

Signing:

Usage: sigstore sign [OPTIONS] FILE [FILE ...]

Options:
  --identity-token TOKEN          the OIDC identity token to use
  --ctfe FILENAME                 A PEM-encoded public key for the CT log
  --oidc-client-id ID             The custom OpenID Connect client ID to use
  --oidc-client-secret SECRET     The custom OpenID Connect client secret to
                                  use
  --oidc-issuer URL               The custom OpenID Connect issuer to use
  --oidc-disable-ambient-providers
                                  Disable ambient OIDC detection (e.g. on
                                  GitHub Actions)
  --help                          Show this message and exit.

Verifying

Usage: sigstore verify [OPTIONS] FILE [FILE ...]

Options:
  --cert FILENAME       [required]
  --signature FILENAME  [required]
  --cert-email TEXT
  --help                Show this message and exit.

Licensing

sigstore is licensed under the Apache 2.0 License.

Contributing

See the contributing docs for details.

Code of Conduct

Everyone interacting with this project is expected to follow the sigstore Code of Conduct.

Security

Should you discover any security issues, please refer to sigstore's security process.

Info

sigstore-python is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sigstore-0.4.0.tar.gz (19.9 kB view details)

Uploaded Source

Built Distribution

sigstore-0.4.0-py3-none-any.whl (21.4 kB view details)

Uploaded Python 3

File details

Details for the file sigstore-0.4.0.tar.gz.

File metadata

  • Download URL: sigstore-0.4.0.tar.gz
  • Upload date:
  • Size: 19.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.0 CPython/3.9.12

File hashes

Hashes for sigstore-0.4.0.tar.gz
Algorithm Hash digest
SHA256 abf9712f7427be13db16e86247c8cf2bd10680e4eaa6ac9ead57327c5a7f0a23
MD5 c4323176aa37ce752e7406fea90fb38d
BLAKE2b-256 6ae8df37f5a2a42bd67884ad2b00b8e923a78089ee0f13f6ea2d1b61a79e4be1

See more details on using hashes here.

Provenance

File details

Details for the file sigstore-0.4.0-py3-none-any.whl.

File metadata

  • Download URL: sigstore-0.4.0-py3-none-any.whl
  • Upload date:
  • Size: 21.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.0 CPython/3.9.12

File hashes

Hashes for sigstore-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 9ef28c5d8edb03c4c60e860523854e9cd375dbe173b1ac893301e1460fafab16
MD5 3daa17742889ca992f959f3ac42311c1
BLAKE2b-256 e952b41e65609b6875b442edd40afe6bc9c49d264f7cc75e61d6446c49ba9702

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page