Collection of tools producing signed artifacts
Project description
Set of scripts used for signing artifacts via configured signers
Requirements
Python 3.7+
Features
pubtools-sign
pubtools-sign-clearsign
pubtools-sign-containersign
Setup
$ pip install -r requirements.txt $ pip install . or $ python setup.py install
Usage
$ pubtools-sign --help $ pubtools-sign-clearsign --help $ pubtools-sign-containersign --help
Configuration
Configuration is done via a yaml file. The default location is ~/.config/.pubtools-sign/conf.yaml or /etc/pubtools-sign/conf.yaml. You can also specify a custom location via the –config argument. The configuration file is divided into sections, each section is a signer. Each signer has a set of attributes that are used to configure the signer Conf.yaml has following structure::
msg_signer:
messaging_brokers:
- <protocol://<host>:<port> for messaging broker
messaging_cert_key: <path to messaging client key + certificate in PEM format>
messaging_ca_cert: <path to CA certificate bundle>
topic_send_to: topic://<topic> - topic where to send signing requests
topic_listen_to: queue://<queue> - queue where to listen for answers from signing server. Supported templating variables: {creator - UID from client cert}, {task_id}
environment: <env> - environment attribute which is included in signing request
service: <service> - service attribute which is included in signing request
timeout: <int> - timeout for signing request
retries: <int> - number of retries for receiving signing responses from messaging brokers
send_retries: <int> - number of retries for whole send + receive cycle
message_id_key: <id> - attribute in message response used as unique identifier for signing request
log_level: <level> - log level for pubtools-sign
cosign_signer:
rekor_url: <rekor-url>
upload_tlog: <true|false>
registry_user: <user> - used to login to registry where images will be signed
registry_password: <password>
env_variables:
<key>: <val> - mapping of environment variables used in signing process. This can be used for example for AWS setup
key_aliases:
<alias>: <key> - mapping of key aliases to actual keys. When passing alias as signing key, <key> is used instead. This
way you cna define for example "prod-key" alias and have different real keys for different signers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pubtools_sign-0.0.10.tar.gz.
File metadata
- Download URL: pubtools_sign-0.0.10.tar.gz
- Upload date:
- Size: 45.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ad073b60fece451f472707b939b36ac8135c8a38bc948335aa4bbfe7c5046708 |
|
| MD5 | c9f282ad8d51e45b86ec90b89285e3ff |
|
| BLAKE2b-256 | 2e32d7c5bb48089e4db8944feb4d881604c9696710b7a0ff2f36388c33ac0052 |
File details
Details for the file pubtools_sign-0.0.10-py3-none-any.whl.
File metadata
- Download URL: pubtools_sign-0.0.10-py3-none-any.whl
- Upload date:
- Size: 32.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 057fcd65b07e11d7247bc3436b7775051f4fd25632d64b7f45793d0a80bca7d0 |
|
| MD5 | a6a106bbf3fe2844c8c11a88f6f133ff |
|
| BLAKE2b-256 | a3cf3bb2862334a3a61f31868c6c9ed790c5c3dd20bd42b8170aafdf657daf00 |
