A tool for signing Python package distributions
Project description
sigstore-python
⚠️ This project is not ready for general-purpose use! ⚠️
sigstore is a tool for signing and verifying Python package distributions.
Features
- Support for signing Python package distributions using an OpenID Connect identity
- Support for publishing signatures to a Rekor instance
- Support for verifying signatures on Python package distributions
Installation
sigstore requires Python 3.7 or newer, and can be installed directly via pip:
python -m pip install sigstore
Optionally, to install sigstore and all its dependencies with hash-checking mode enabled, run the following:
python -m pip install -r <(curl -s https://raw.githubusercontent.com/sigstore/sigstore-python/main/install/requirements.txt)
This installs the requirements file located here, which is kept up-to-date.
Usage
You can run sigstore as a standalone program, or via python -m:
sigstore --help
python -m sigstore --help
Top-level:
Usage: sigstore [OPTIONS] COMMAND [ARGS]...
Options:
--version Show the version and exit.
--help Show this message and exit.
Commands:
sign
verify
Signing:
Usage: sigstore sign [OPTIONS] FILE [FILE ...]
Options:
--identity-token TOKEN the OIDC identity token to use
--ctfe FILENAME A PEM-encoded public key for the CT log
(conflicts with --staging)
--oidc-client-id ID The custom OpenID Connect client ID to use
--oidc-client-secret SECRET The custom OpenID Connect client secret to
use
--oidc-issuer URL The custom OpenID Connect issuer to use
(conflicts with --staging)
--staging Use the sigstore project's staging
instances, instead of the default production
instances
--oidc-disable-ambient-providers
Disable ambient OIDC detection (e.g. on
GitHub Actions)
--output-signature FILE With a value, write a single signature to
the given file; without a value, write each
signing result to {input}.sig
--output-certificate FILE With a value, write a single signing
certificate to the given file; without a
value, write each signing certificate to
{input}.cert
--fulcio-url URL The Fulcio instance to use (conflicts with
--staging) [default:
https://fulcio.sigstore.dev]
--rekor-url URL The Rekor instance to use (conflicts with
--staging) [default:
https://rekor.sigstore.dev]
--help Show this message and exit.
Verifying:
Usage: sigstore verify [OPTIONS] FILE [FILE ...]
Options:
--cert FILENAME The PEM-encoded certificate to verify against
[required]
--signature FILENAME The signature to verify against [required]
--cert-email TEXT The email address (or other identity string) to
check for in the certificate's Subject Alternative
Name
--cert-oidc-issuer TEXT The OIDC issuer URL to check for in the
certificate's OIDC issuer extension
--staging Use the sigstore project's staging instances,
instead of the default production instances
--rekor-url URL The Rekor instance to use (conflicts with
--staging) [default: https://rekor.sigstore.dev]
--help Show this message and exit.
Ambient credential detection
For environments that support OIDC natively, sigstore supports automatic ambient credential detection:
- GitHub:
- Actions: requires setting the
id-tokenpermission, see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect. An example is here.
- Actions: requires setting the
- Google Cloud:
- Compute Engine: automatic
- Cloud Build: requires setting
GOOGLE_SERVICE_ACCOUNT_NAMEto an appropriately configured service account name, see https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-direct. An example is here
- GitLab: planned, see https://github.com/sigstore/sigstore-python/issues/31
- CircleCI: planned, see https://github.com/sigstore/sigstore-python/issues/31
Licensing
sigstore is licensed under the Apache 2.0 License.
Contributing
See the contributing docs for details.
Code of Conduct
Everyone interacting with this project is expected to follow the sigstore Code of Conduct.
Security
Should you discover any security issues, please refer to sigstore's security process.
Info
sigstore-python is developed as part of the sigstore project.
We also use a slack channel! Click here for the invite link.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for sigstore-0.5.1rc1-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ce3e2c71c86ffa9aa1c4f782220c58c04ef78e5b471754746c4b04d04ccb7540 |
|
| MD5 | 0498f437c4a48bddc03a8a5bbd88f605 |
|
| BLAKE2b-256 | a5fb9dae48dc2b3d2f65b016dd03c6787edf9d0c1580b85f471efb8dc1a289f8 |
