A tool for signing Python package distributions
Verified details
These details have been verified by PyPIProject links
Owner
GitHub Statistics
Maintainers
Project description
sigstore-python
sigstore is a Python tool for generating and verifying Sigstore signatures.
You can use it to sign and verify Python package distributions, or anything
else!
Index
- Features
- Installation
- Usage
- Documentation
- Licensing
- Community
- Contributing
- Code of Conduct
- Security
- SLSA Provenance
Features
- Support for keyless signature generation and verification with Sigstore
- Support for signing with "ambient" OpenID Connect identities
- A comprehensive CLI and corresponding importable Python API
Installation
sigstore requires Python 3.9 or newer, and can be installed directly via pip:
python -m pip install sigstore
See the installation page in the documentation for more installation options.
Usage
For Python API usage, see our API.
You can run sigstore as a standalone program:
sigstore --help
Top-level:
usage: sigstore [-h] [-v] [-V]
[--staging | --instance URL | --trust-config FILE]
COMMAND ...
a tool for signing and verifying Python package distributions
positional arguments:
COMMAND the operation to perform
attest sign one or more inputs using DSSE
sign sign one or more inputs
verify verify one or more inputs
get-identity-token
retrieve and return a Sigstore-compatible OpenID
Connect token
trust-instance Initialize trust for a Sigstore instance
plumbing developer-only plumbing operations
optional arguments:
-h, --help show this help message and exit
-v, --verbose run with additional debug logging; supply multiple
times to increase verbosity (default: 0)
-V, --version show program's version number and exit
--staging Use sigstore's staging instance, instead of the default
production instance. Mutually exclusive with other
instance configuration arguments. (default: False)
--instance URL Use a given Sigstore instance URL, instead of the
default production instance. Mutually exclusive with
other instance configuration arguments. (default: None)
--trust-config FILE Use given client trust configuration instead of using
the default production instance. Mutually exclusive
with other instance configuration arguments. (default:
None)
Signing
usage: sigstore sign [-h] [-v] [--rekor-version VERSION]
[--identity-token TOKEN] [--oidc-client-id ID]
[--oidc-client-secret SECRET]
[--oidc-disable-ambient-providers] [--oidc-issuer URL]
[--oauth-force-oob] [--no-default-files]
[--signature FILE] [--certificate FILE] [--bundle FILE]
[--output-directory DIR] [--overwrite]
FILE [FILE ...]
positional arguments:
FILE The file to sign
optional arguments:
-h, --help show this help message and exit
-v, --verbose run with additional debug logging; supply multiple
times to increase verbosity (default: 0)
--rekor-version VERSION
Force the rekor transparency log version. Valid values
are [1, 2]. By default the highest available version
is used
OpenID Connect options:
--identity-token TOKEN
the OIDC identity token to use (default: None)
--oidc-client-id ID The custom OpenID Connect client ID to use during
OAuth2 (default: sigstore)
--oidc-client-secret SECRET
The custom OpenID Connect client secret to use during
OAuth2 (default: None)
--oidc-disable-ambient-providers
Disable ambient OpenID Connect credential detection
(e.g. on GitHub Actions) (default: False)
--oidc-issuer URL The OpenID Connect issuer to use (default: None)
--oauth-force-oob Force an out-of-band OAuth flow and do not
automatically start the default web browser (default:
False)
Output options:
--no-default-files Don't emit the default output files
({input}.sigstore.json) (default: False)
--signature FILE, --output-signature FILE
Write a single signature to the given file; does not
work with multiple input files (default: None)
--certificate FILE, --output-certificate FILE
Write a single certificate to the given file; does not
work with multiple input files (default: None)
--bundle FILE Write a single Sigstore bundle to the given file; does
not work with multiple input files (default: None)
--output-directory DIR
Write default outputs to the given directory
(conflicts with --signature, --certificate, --bundle)
(default: None)
--overwrite Overwrite preexisting signature and certificate
outputs, if present (default: False)
Signing with DSSE envelopes
usage: sigstore attest [-h] [-v] [--rekor-version VERSION] --predicate FILE
--predicate-type TYPE [--identity-token TOKEN]
[--oidc-client-id ID] [--oidc-client-secret SECRET]
[--oidc-disable-ambient-providers] [--oidc-issuer URL]
[--oauth-force-oob] [--bundle FILE] [--overwrite]
FILE [FILE ...]
positional arguments:
FILE The file to sign
optional arguments:
-h, --help show this help message and exit
-v, --verbose run with additional debug logging; supply multiple
times to increase verbosity (default: 0)
--rekor-version VERSION
Force the rekor transparency log version. Valid values
are [1, 2]. By default the highest available version
is used
DSSE options:
--predicate FILE Path to the predicate file (default: None)
--predicate-type TYPE
Specify a predicate type
(https://slsa.dev/provenance/v0.2,
https://slsa.dev/provenance/v1) (default: None)
OpenID Connect options:
--identity-token TOKEN
the OIDC identity token to use (default: None)
--oidc-client-id ID The custom OpenID Connect client ID to use during
OAuth2 (default: sigstore)
--oidc-client-secret SECRET
The custom OpenID Connect client secret to use during
OAuth2 (default: None)
--oidc-disable-ambient-providers
Disable ambient OpenID Connect credential detection
(e.g. on GitHub Actions) (default: False)
--oidc-issuer URL The OpenID Connect issuer to use (default: None)
--oauth-force-oob Force an out-of-band OAuth flow and do not
automatically start the default web browser (default:
False)
Output options:
--bundle FILE Write a single Sigstore bundle to the given file; does
not work with multiple input files (default: None)
--overwrite Overwrite preexisting bundle outputs, if present
(default: False)
Verifying
Identities
usage: sigstore verify identity [-h] [-v] [--certificate FILE]
[--signature FILE] [--bundle FILE] [--offline]
--cert-identity IDENTITY --cert-oidc-issuer
URL
FILE_OR_DIGEST [FILE_OR_DIGEST ...]
optional arguments:
-h, --help show this help message and exit
-v, --verbose run with additional debug logging; supply multiple
times to increase verbosity (default: 0)
Verification inputs:
--certificate FILE, --cert FILE
The PEM-encoded certificate to verify against; not
used with multiple inputs (default: None)
--signature FILE The signature to verify against; not used with
multiple inputs (default: None)
--bundle FILE The Sigstore bundle to verify with; not used with
multiple inputs (default: None)
FILE_OR_DIGEST The file path or the digest to verify. The digest
should start with the 'sha256:' prefix.
Verification options:
--offline Perform offline verification; requires a Sigstore
bundle (default: False)
--cert-identity IDENTITY
The identity to check for in the certificate's Subject
Alternative Name (default: None)
--cert-oidc-issuer URL
The OIDC issuer URL to check for in the certificate's
OIDC issuer extension (default: None)
Signatures from GitHub Actions
usage: sigstore verify github [-h] [-v] [--certificate FILE]
[--signature FILE] [--bundle FILE] [--offline]
[--cert-identity IDENTITY] [--trigger EVENT]
[--sha SHA] [--name NAME] [--repository REPO]
[--ref REF]
FILE_OR_DIGEST [FILE_OR_DIGEST ...]
optional arguments:
-h, --help show this help message and exit
-v, --verbose run with additional debug logging; supply multiple
times to increase verbosity (default: 0)
Verification inputs:
--certificate FILE, --cert FILE
The PEM-encoded certificate to verify against; not
used with multiple inputs (default: None)
--signature FILE The signature to verify against; not used with
multiple inputs (default: None)
--bundle FILE The Sigstore bundle to verify with; not used with
multiple inputs (default: None)
FILE_OR_DIGEST The file path or the digest to verify. The digest
should start with the 'sha256:' prefix.
Verification options:
--offline Perform offline verification; requires a Sigstore
bundle (default: False)
--cert-identity IDENTITY
The identity to check for in the certificate's Subject
Alternative Name (default: None)
--trigger EVENT The GitHub Actions event name that triggered the
workflow (default: None)
--sha SHA The `git` commit SHA that the workflow run was invoked
with (default: None)
--name NAME The name of the workflow that was triggered (default:
None)
--repository REPO The repository slug that the workflow was triggered
under (default: None)
--ref REF The `git` ref that the workflow was invoked with
(default: None)
Documentation
sigstore documentation is available on https://sigstore.github.io/sigstore-python
Licensing
sigstore is licensed under the Apache 2.0 License.
Community
sigstore-python is developed as part of the Sigstore project.
We also use a Slack channel! Click here for the invite link.
Contributing
See the contributing docs for details.
Code of Conduct
Everyone interacting with this project is expected to follow the sigstore Code of Conduct.
Security
Should you discover any security issues, please refer to sigstore's security process.
Project details
Verified details
These details have been verified by PyPIProject links
Owner
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
sigstore-4.1.0.tar.gz
(87.9 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
sigstore-4.1.0-py3-none-any.whl
(109.0 kB
view details)
File details
Details for the file sigstore-4.1.0.tar.gz.
File metadata
- Download URL: sigstore-4.1.0.tar.gz
- Upload date:
- Size: 87.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
312f7f73fe27127784245f523b86b6334978c555fe4ba7831be5602c089807c1
|
|
| MD5 |
d4653ca738053be3d29fd3025a3ebe78
|
|
| BLAKE2b-256 |
641e8c115a155b67254b52780730bc86edf90d108d172377e526ce91e42ba9de
|
Provenance
The following attestation bundles were made for sigstore-4.1.0.tar.gz:
Publisher:
release.yml on sigstore/sigstore-python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sigstore-4.1.0.tar.gz -
Subject digest:
312f7f73fe27127784245f523b86b6334978c555fe4ba7831be5602c089807c1 - Sigstore transparency entry: 600964968
- Sigstore integration time:
-
Permalink:
sigstore/sigstore-python@3447f9603cfa0e9fe9d9c83d5bd5fb0bfe08a598 -
Branch / Tag:
refs/tags/v4.1.0 - Owner: https://github.com/sigstore
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@3447f9603cfa0e9fe9d9c83d5bd5fb0bfe08a598 -
Trigger Event:
release
-
Statement type:
File details
Details for the file sigstore-4.1.0-py3-none-any.whl.
File metadata
- Download URL: sigstore-4.1.0-py3-none-any.whl
- Upload date:
- Size: 109.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ec3ed0d92bf53ffb23261245a78d4ad3da5af5cc9af889c86461a7d02407249a
|
|
| MD5 |
cf66888fb0919cc609c8ab7a0fe6ba5d
|
|
| BLAKE2b-256 |
d902126842beb9ce3d66f86203cdf94d99805df040cf693501a36bd6d0319cdf
|
Provenance
The following attestation bundles were made for sigstore-4.1.0-py3-none-any.whl:
Publisher:
release.yml on sigstore/sigstore-python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sigstore-4.1.0-py3-none-any.whl -
Subject digest:
ec3ed0d92bf53ffb23261245a78d4ad3da5af5cc9af889c86461a7d02407249a - Sigstore transparency entry: 600964969
- Sigstore integration time:
-
Permalink:
sigstore/sigstore-python@3447f9603cfa0e9fe9d9c83d5bd5fb0bfe08a598 -
Branch / Tag:
refs/tags/v4.1.0 - Owner: https://github.com/sigstore
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@3447f9603cfa0e9fe9d9c83d5bd5fb0bfe08a598 -
Trigger Event:
release
-
Statement type:
