A tool for signing Python package distributions

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for di from gravatar.com di Avatar for trailofbits from gravatar.com trailofbits Avatar for woodruffw from gravatar.com woodruffw

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License ( Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR U...)
  • Author: Sigstore Authors
  • Requires: Python >=3.7
Classifiers

Reason this release was yanked:

Missing submodules

Project description

sigstore-python

CI PyPI version

⚠️ This project is not ready for general-purpose use! ⚠️

sigstore is a tool for signing and verifying Python package distributions.

Features

  • Support for signing Python package distributions using an OpenID Connect identity
  • Support for publishing signatures to a Rekor instance
  • Support for verifying signatures on Python package distributions

Installation

sigstore requires Python 3.7 or newer, and can be installed directly via pip:

python -m pip install sigstore

Usage

You can run sigstore as a standalone program, or via python -m:

sigstore --help
python -m sigstore --help

Top-level:

Usage: sigstore [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  sign
  verify

Signing:

Usage: sigstore sign [OPTIONS] FILE [FILE ...]

Options:
  --identity-token TOKEN          the OIDC identity token to use
  --ctfe FILENAME                 A PEM-encoded public key for the CT log
  --oidc-client-id ID             The custom OpenID Connect client ID to use
  --oidc-client-secret SECRET     The custom OpenID Connect client secret to
                                  use
  --oidc-issuer URL               The custom OpenID Connect issuer to use
  --oidc-disable-ambient-providers
                                  Disable ambient OIDC detection (e.g. on
                                  GitHub Actions)
  --help                          Show this message and exit.

Verifying

Usage: sigstore verify [OPTIONS] FILE [FILE ...]

Options:
  --cert FILENAME       [required]
  --signature FILENAME  [required]
  --cert-email TEXT
  --help                Show this message and exit.

Licensing

sigstore is licensed under the Apache 2.0 License.

Contributing

See the contributing docs for details.

Code of Conduct

Everyone interacting with this project is expected to follow the sigstore Code of Conduct.

Security

Should you discover any security issues, please refer to sigstore's security process.

Info

sigstore-python is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for di from gravatar.com di Avatar for trailofbits from gravatar.com trailofbits Avatar for woodruffw from gravatar.com woodruffw

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License ( Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR U...)
  • Author: Sigstore Authors
  • Requires: Python >=3.7
Classifiers

Release history Release notifications | RSS feed

3.5.1

3.5.0

3.4.0

3.3.0

3.2.0

3.1.0

3.0.0

3.0.0rc2 pre-release

3.0.0rc1 pre-release

2.1.5

2.1.3

2.1.2

2.1.0

2.0.1

2.0.0

2.0.0rc3 pre-release

2.0.0rc2 pre-release

2.0.0rc1 pre-release

1.1.2

1.1.2rc1 pre-release

1.1.1

1.1.1rc1 pre-release

1.1.0

1.0.0

1.0.0rc1 pre-release

0.10.0

0.9.0

0.8.3

0.7.0

0.6.8

0.6.7

0.6.6

0.6.5

0.6.4

0.6.3

0.6.2

0.6.1

0.5.1

0.5.1rc2 pre-release

0.5.1rc1 pre-release

0.5.0

0.4.2 yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.4.1 yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs
This version

0.4.0 yanked

Reason this release was yanked:

Missing submodules

0.3.1 yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.2.0 yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.1.0 yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.0.1rc3 pre-release yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.0.1rc2 pre-release yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.0.1rc1 pre-release yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sigstore-0.4.0.tar.gz (19.9 kB view hashes)

Uploaded Source

Built Distribution

sigstore-0.4.0-py3-none-any.whl (21.4 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page