Collection of tools producing signed artifacts
Project description
Set of scripts used for signing artifacts via configured signers
Requirements
Python 3.7+
Features
pubtools-sign
pubtools-sign-clearsign
pubtools-sign-containersign
Setup
$ pip install -r requirements.txt $ pip install . or $ python setup.py install
Usage
$ pubtools-sign --help $ pubtools-sign-clearsign --help $ pubtools-sign-containersign --help
Configuration
Configuration is done via a yaml file. The default location is ~/.config/.pubtools-sign/conf.yaml or /etc/pubtools-sign/conf.yaml. You can also specify a custom location via the –config argument. The configuration file is divided into sections, each section is a signer. Each signer has a set of attributes that are used to configure the signer Conf.yaml has following structure::
msg_signer: messaging_brokers: - <protocol://<host>:<port> for messaging broker messaging_cert_key: <path to messaging client key + certificate in PEM format> messaging_ca_cert: <path to CA certificate bundle> topic_send_to: topic://<topic> - topic where to send signing requests topic_listen_to: queue://<queue> - queue where to listen for answers from signing server. Supported templating variables: {creator - UID from client cert}, {task_id} environment: <env> - environment attribute which is included in signing request service: <service> - service attribute which is included in signing request timeout: <int> - timeout for signing request retries: <int> - number of retries for receiving signing responses from messaging brokers send_retries: <int> - number of retries for whole send + receive cycle message_id_key: <id> - attribute in message response used as unique identifier for signing request log_level: <level> - log level for pubtools-sign cosign_signer: rekor_url: <rekor-url> upload_tlog: <true|false> registry_user: <user> - used to login to registry where images will be signed registry_password: <password> env_variables: <key>: <val> - mapping of environment variables used in signing process. This can be used for example for AWS setup key_aliases: <alias>: <key> - mapping of key aliases to actual keys. When passing alias as signing key, <key> is used instead. This way you cna define for example "prod-key" alias and have different real keys for different signers
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
pubtools_sign-0.0.9.tar.gz
(45.1 kB
view hashes)
Built Distribution
Close
Hashes for pubtools_sign-0.0.9-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b909ebb451580edad9e862457b34505b94217c9cb1e755a687a1371a0fe3ec76 |
|
MD5 | 62c847cbab4f9b8cd183b1dae3a963f1 |
|
BLAKE2b-256 | 7b415a161108f42d55b7d36f63a8c2f424078910904cd298859fc59d2b002e27 |