A tool for signing Python package distributions

These details have not been verified by PyPI

Project links

Project description

sigstore-python

⚠️ This project is not ready for general-purpose use! ⚠️

sigstore is a tool for signing and verifying Python package distributions.

Features

Support for signing Python package distributions using an OpenID Connect identity
Support for publishing signatures to a Rekor instance
Support for verifying signatures on Python package distributions

Installation

sigstore requires Python 3.7 or newer, and can be installed directly via pip:

python -m pip install sigstore

Usage

You can run sigstore as a standalone program, or via python -m:

sigstore --help
python -m sigstore --help

Top-level:

Usage: sigstore [OPTIONS] COMMAND [ARGS]...

Options:
  --version  Show the version and exit.
  --help     Show this message and exit.

Commands:
  sign
  verify

Signing:

Usage: sigstore sign [OPTIONS] FILE [FILE ...]

Options:
  --identity-token TOKEN          the OIDC identity token to use
  --ctfe FILENAME                 A PEM-encoded public key for the CT log
                                  (conflicts with --staging)
  --oidc-client-id ID             The custom OpenID Connect client ID to use
  --oidc-client-secret SECRET     The custom OpenID Connect client secret to
                                  use
  --oidc-issuer URL               The custom OpenID Connect issuer to use
                                  (conflicts with --staging)
  --staging                       Use the sigstore project's staging
                                  instances, instead of the default production
                                  instances
  --oidc-disable-ambient-providers
                                  Disable ambient OIDC detection (e.g. on
                                  GitHub Actions)
  --output-signature FILE         With a value, write a single signature to
                                  the given file; without a value, write each
                                  signing result to {input}.sig
  --output-certificate FILE       With a value, write a single signing
                                  certificate to the given file; without a
                                  value, write each signing certificate to
                                  {input}.cert
  --fulcio-url URL                The Fulcio instance to use (conflicts with
                                  --staging)  [default:
                                  https://fulcio.sigstore.dev]
  --rekor-url URL                 The Rekor instance to use (conflicts with
                                  --staging)  [default:
                                  https://rekor.sigstore.dev]
  --help                          Show this message and exit.

Verifying:

Usage: sigstore verify [OPTIONS] FILE [FILE ...]

Options:
  --cert FILENAME       [required]
  --signature FILENAME  [required]
  --cert-email TEXT
  --staging             Use the sigstore project's staging instances, instead
                        of the default production instances
  --rekor-url URL       The Rekor instance to use (conflicts with --staging)
                        [default: https://rekor.sigstore.dev]
  --help                Show this message and exit.

Ambient credential detection

For environments that support OIDC natively, sigstore supports automatic ambient credential detection:

GitHub:
- Actions: requires setting the id-token permission, see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect. An example is here.
Google Cloud:
- Compute Engine: automatic
- Cloud Build: requires setting GOOGLE_SERVICE_ACCOUNT_NAME to an appropriately configured service account name, see https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-direct. An example is here
GitLab: planned, see https://github.com/sigstore/sigstore-python/issues/31
CircleCI: planned, see https://github.com/sigstore/sigstore-python/issues/31

Licensing

sigstore is licensed under the Apache 2.0 License.

Contributing

See the contributing docs for details.

Code of Conduct

Everyone interacting with this project is expected to follow the sigstore Code of Conduct.

Security

Should you discover any security issues, please refer to sigstore's security process.

Info

sigstore-python is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.

Project details

These details have not been verified by PyPI

Project links

Release history Release notifications | RSS feed

3.5.1

Oct 25, 2024

3.5.0

Oct 24, 2024

3.4.0

Oct 10, 2024

3.3.0

Sep 18, 2024

3.2.0

Aug 19, 2024

3.1.0

Jul 31, 2024

3.0.0

May 16, 2024

3.0.0rc2 pre-release

May 7, 2024

3.0.0rc1 pre-release

May 2, 2024

2.1.5

Apr 8, 2024

2.1.3

Mar 19, 2024

2.1.2

Feb 4, 2024

2.1.0

Dec 13, 2023

2.0.1

Oct 17, 2023

2.0.0

Sep 28, 2023

2.0.0rc3 pre-release

Sep 12, 2023

2.0.0rc2 pre-release

Jul 21, 2023

2.0.0rc1 pre-release

Jun 23, 2023

1.1.2

Apr 22, 2023

1.1.2rc1 pre-release

Mar 15, 2023

1.1.1

Mar 6, 2023

1.1.1rc1 pre-release

Mar 6, 2023

1.1.0

Jan 31, 2023

1.0.0

Jan 13, 2023

1.0.0rc1 pre-release

Jan 12, 2023

0.10.0

Jan 9, 2023

0.9.0

Dec 22, 2022

0.8.3

Nov 23, 2022

0.7.0

Nov 4, 2022

0.6.8

Oct 24, 2022

0.6.7

Oct 11, 2022

0.6.6

Oct 5, 2022

0.6.5

Sep 15, 2022

0.6.4

Sep 8, 2022

0.6.3

Aug 1, 2022

0.6.2

Jun 21, 2022

0.6.1

Jun 10, 2022

0.5.1

Jun 6, 2022

0.5.1rc2 pre-release

Jun 4, 2022

0.5.1rc1 pre-release

Jun 4, 2022

This version

0.5.0

Jun 3, 2022

0.4.2 yanked

May 17, 2022