Skip to main content

A tool for signing Python package distributions

Project description

sigstore-python

CI PyPI version

⚠️ This project is not ready for general-purpose use! ⚠️

sigstore is a tool for signing and verifying Python package distributions.

Features

  • Support for signing Python package distributions using an OpenID Connect identity
  • Support for publishing signatures to a Rekor instance
  • Support for verifying signatures on Python package distributions

Installation

sigstore requires Python 3.7 or newer, and can be installed directly via pip:

python -m pip install sigstore

Optionally, to install sigstore and all its dependencies with hash-checking mode enabled, run the following:

python -m pip install -r <(curl -s https://raw.githubusercontent.com/sigstore/sigstore-python/main/install/requirements.txt)

This installs the requirements file located here, which is kept up-to-date.

Usage

You can run sigstore as a standalone program, or via python -m:

sigstore --help
python -m sigstore --help

Top-level:

Usage: sigstore [OPTIONS] COMMAND [ARGS]...

Options:
  --version  Show the version and exit.
  --help     Show this message and exit.

Commands:
  sign
  verify

Signing:

Usage: sigstore sign [OPTIONS] FILE [FILE ...]

Options:
  --identity-token TOKEN          the OIDC identity token to use
  --ctfe FILENAME                 A PEM-encoded public key for the CT log
                                  (conflicts with --staging)
  --oidc-client-id ID             The custom OpenID Connect client ID to use
  --oidc-client-secret SECRET     The custom OpenID Connect client secret to
                                  use
  --oidc-issuer URL               The custom OpenID Connect issuer to use
                                  (conflicts with --staging)
  --staging                       Use the sigstore project's staging
                                  instances, instead of the default production
                                  instances
  --oidc-disable-ambient-providers
                                  Disable ambient OIDC detection (e.g. on
                                  GitHub Actions)
  --output-signature FILE         With a value, write a single signature to
                                  the given file; without a value, write each
                                  signing result to {input}.sig
  --output-certificate FILE       With a value, write a single signing
                                  certificate to the given file; without a
                                  value, write each signing certificate to
                                  {input}.cert
  --fulcio-url URL                The Fulcio instance to use (conflicts with
                                  --staging)  [default:
                                  https://fulcio.sigstore.dev]
  --rekor-url URL                 The Rekor instance to use (conflicts with
                                  --staging)  [default:
                                  https://rekor.sigstore.dev]
  --help                          Show this message and exit.

Verifying:

Usage: sigstore verify [OPTIONS] FILE [FILE ...]

Options:
  --cert FILENAME          The PEM-encoded certificate to verify against
                           [required]
  --signature FILENAME     The signature to verify against  [required]
  --cert-email TEXT        The email address (or other identity string) to
                           check for in the certificate's Subject Alternative
                           Name
  --cert-oidc-issuer TEXT  The OIDC issuer URL to check for in the
                           certificate's OIDC issuer extension
  --staging                Use the sigstore project's staging instances,
                           instead of the default production instances
  --rekor-url URL          The Rekor instance to use (conflicts with
                           --staging)  [default: https://rekor.sigstore.dev]
  --help                   Show this message and exit.

Ambient credential detection

For environments that support OIDC natively, sigstore supports automatic ambient credential detection:

Licensing

sigstore is licensed under the Apache 2.0 License.

Contributing

See the contributing docs for details.

Code of Conduct

Everyone interacting with this project is expected to follow the sigstore Code of Conduct.

Security

Should you discover any security issues, please refer to sigstore's security process.

Info

sigstore-python is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.

Project details


Release history Release notifications | RSS feed

This version

0.5.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sigstore-0.5.1.tar.gz (31.8 kB view details)

Uploaded Source

Built Distribution

sigstore-0.5.1-py3-none-any.whl (42.9 kB view details)

Uploaded Python 3

File details

Details for the file sigstore-0.5.1.tar.gz.

File metadata

  • Download URL: sigstore-0.5.1.tar.gz
  • Upload date:
  • Size: 31.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.9.13

File hashes

Hashes for sigstore-0.5.1.tar.gz
Algorithm Hash digest
SHA256 a6c39040b5df23f51305178014ac922201607cc0f3cb7f29d5d5ca0a71a5fbc2
MD5 fca020d4ed09ce9e5e7df865f8754129
BLAKE2b-256 a38d7c7918b124dfcd63e624962045ee346c9a85843bc6f7c5c1a2da4cb93c90

See more details on using hashes here.

Provenance

File details

Details for the file sigstore-0.5.1-py3-none-any.whl.

File metadata

  • Download URL: sigstore-0.5.1-py3-none-any.whl
  • Upload date:
  • Size: 42.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.9.13

File hashes

Hashes for sigstore-0.5.1-py3-none-any.whl
Algorithm Hash digest
SHA256 48e0d76e6427cc4beda60646e182c0f6d2a389e9017bb67f73bc6c5e041a79ba
MD5 bae13ad63463a5e31b87df98237c2aa5
BLAKE2b-256 a00af339a4735900c15b73aff23a1fcaaf78fb0039ab2d718efaddcf5425617a

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page