Laavat Signing Solution CLI Tool
Project description
Laavat Signing Solution CLI Tool
ℹ️ Example client — This is Laavat's reference signing client. It is provided as-is; you are responsible for evaluating its suitability and security for your own production environment before relying on it. Releases are published with verifiable provenance (see Verifying the download).
The signing-tool package provides the Laavat Signing Solution command-line client.
It supports client registration, product management, image signing, secrets management, and more via the SaaS API.
Installation
Install from PyPI when released:
pip install signing-tool
Verifying the download
Releases on PyPI are published with PEP 740 digital attestations, signed via Sigstore. The attestation provides a publicly verifiable, transparency-logged link proving that a given signing-tool artifact was built and published by Laavat's official GitLab CI pipeline for this project — it lets you detect a tampered or substituted artifact before you run it.
You can see the attestation on the release's PyPI page (under the file's "Provenance" / "Verified details"). To verify a downloaded artifact yourself:
python3 -m pip install pypi-attestations
# Verify a published file directly against PyPI (downloads the file and its
# attestation for you); pass the exact released filename after "pypi:":
python3 -m pypi_attestations verify pypi \
--repository https://gitlab.com/laavat/laavat-product/architecture/dist \
pypi:signing_tool-<version>-py3-none-any.whl
A successful verification confirms the artifact's provenance (who built it, from which repository). What it does not do: it is not a guarantee about the contents of the code (it is provenance, not a security audit of the source).
The
verifycommand above works against production PyPI. (Attestation verification of TestPyPI artifacts is not supported by the currentpypi-attestationsrelease.)
A CycloneDX Software Bill of Materials (SBOM) listing the package's dependencies is produced for each release: it is bundled inside the source distribution (.tar.gz) as sbom.json, and is also published as a per-version build artifact (signing-tool-sbom.json) by the release pipeline.
Quick Start
Display help:
signing-tool --help
Secure token input
Do not pass the token literally (-t "$TOKEN") and do not store it inline in a config file — in both cases the secret is exposed (shell history, process listings such as ps / /proc/<pid>/cmdline, or plaintext on disk). The tool accepts curl-style references that keep the secret out of the command line; in order of preference:
-
-t @/path/to/tokenfile(recommended) — read the token from a file (the tool warns if the file is group/world-readable; usechmod 600):signing-tool -c -t @/run/secrets/jwt -a https://app.laavat.io/<CustomerName>/api/v1 product getall
-
-t @-— read the token from stdin:printf '%s' "$TOKEN" | signing-tool -c -t @- -a https://app.laavat.io/<CustomerName>/api/v1 product getall
In a configuration file, reference the token by file instead of inlining it (an inline token = still works but is deprecated and warns on use):
[service]
url = https://app.laavat.io/<CustomerName>/api/v1
token_file = /run/secrets/jwt
These forms integrate cleanly with CI secret managers, which expose secrets as files or on stdin. TLS verification is on by default; --skipssl disables it and is intended for local development only.
A leading
@is interpreted as a stdin/file reference (the curl convention). OAuth2/JWT tokens never start with@, but if you ever need a literal token that does, escape it as\@token.
Recommended usage
Supply the token without exposing it on the command line (see Secure token input), and keep the rest of the settings in a configuration file referenced with -n.
A configuration file that references the token by file (the token itself is never stored in the config):
# test.ini
[service]
url = https://app.laavat.io/<CustomerName>/api/v1
token_file = /run/secrets/jwt
signing-tool -n test.ini product getall
Or pass everything on the command line, reading the token from stdin:
printf '%s' "$TOKEN" | signing-tool -c -t @- -a https://app.laavat.io/<CustomerName>/api/v1 product getall
TLS verification is on by default.
--skipssldisables it and is for local development only.
Configuration file
The config file has a single [service] section:
| Key | Description |
|---|---|
url |
API address, e.g. https://app.laavat.io/<CustomerName>/api/v1 |
token_file |
Path to a file containing the token (preferred — keeps the secret out of the config) |
token |
The token. token = @/path/to/file reads it from a file; an inline literal token is deprecated and warns on use |
skipssl |
True disables TLS verification (local development only); defaults to False |
You can generate a config file with the config-init helper. Prefer -t @/path/to/tokenfile so it writes a token_file = reference (the secret stays out of the config); -t @- reads the token from stdin; a literal -t <token> is written inline and warns. The file is created owner-only (0600) on POSIX.
config-init -n test.ini -t @/run/secrets/jwt -a https://app.laavat.io/<CustomerName>/api/v1
signing-tool -n test.ini product getall
Quick test
For a quick one-off command without setting up a config file, pipe the token in via stdin (-t @-) so it stays out of your shell history and process listings:
printf '%s' "$TOKEN" | signing-tool -c -t @- -a https://app.laavat.io/<CustomerName>/api/v1 product getall
Note: Some commands (
escrow add,group add) are interactive and prompt for input. They cannot read the token from stdin — do not use-t @-/token = @-with them; supply the token via-t @/path/to/fileor atoken/token_fileentry in a-nconfig file instead.
Requirements
- Python 3.8 or newer
- SigningService — The signing-tool CLI depends on the SigningService API client library. This is automatically installed when you install
signing-toolfrom PyPI
Packaging
This package is configured for PyPI distribution using pyproject.toml and setuptools.
Read the pyproject.toml file for package metadata and published package configuration.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file signing_tool-3.8.0.tar.gz.
File metadata
- Download URL: signing_tool-3.8.0.tar.gz
- Upload date:
- Size: 200.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e53944fbf14f797d28c9d577fdf697e27afd1984b0f363c2198a93d9a67f390e
|
|
| MD5 |
3711f3946ac2fabefaa093943f15ee17
|
|
| BLAKE2b-256 |
1003c9bdd9d309e7d60459800ec69f15c446e4a3ad002a4913927c05101d8884
|
Provenance
The following attestation bundles were made for signing_tool-3.8.0.tar.gz:
Publisher:
.gitlab-ci.yml on laavat/laavat-product/architecture/dist
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
signing_tool-3.8.0.tar.gz -
Subject digest:
e53944fbf14f797d28c9d577fdf697e27afd1984b0f363c2198a93d9a67f390e - Sigstore transparency entry: 1938184096
- Sigstore integration time:
-
Permalink:
laavat/laavat-product/architecture/dist@752e8c3ac9a28be8608f48ea76e4bc11d20acc33 -
Branch / Tag:
refs/tags/v3.8.0 - Owner: https://gitlab.com/laavat/laavat-product/architecture
-
Access:
private
-
Token Issuer:
https://gitlab.com -
Runner Environment:
gitlab-hosted -
Publication workflow:
.gitlab-ci.yml@752e8c3ac9a28be8608f48ea76e4bc11d20acc33 -
Trigger Event:
push
-
Statement type:
File details
Details for the file signing_tool-3.8.0-py3-none-any.whl.
File metadata
- Download URL: signing_tool-3.8.0-py3-none-any.whl
- Upload date:
- Size: 658.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5fdd2481cc5d7823294aa62a57192d25a425826282717b89352c7775dd009c6a
|
|
| MD5 |
9d5cb17676b0e584e62ca641ac208cde
|
|
| BLAKE2b-256 |
80b450caebf429981034be0e6810bd7c17f5c0e9ec619f007125b7b9514837f0
|
Provenance
The following attestation bundles were made for signing_tool-3.8.0-py3-none-any.whl:
Publisher:
.gitlab-ci.yml on laavat/laavat-product/architecture/dist
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
signing_tool-3.8.0-py3-none-any.whl -
Subject digest:
5fdd2481cc5d7823294aa62a57192d25a425826282717b89352c7775dd009c6a - Sigstore transparency entry: 1938184062
- Sigstore integration time:
-
Permalink:
laavat/laavat-product/architecture/dist@752e8c3ac9a28be8608f48ea76e4bc11d20acc33 -
Branch / Tag:
refs/tags/v3.8.0 - Owner: https://gitlab.com/laavat/laavat-product/architecture
-
Access:
private
-
Token Issuer:
https://gitlab.com -
Runner Environment:
gitlab-hosted -
Publication workflow:
.gitlab-ci.yml@752e8c3ac9a28be8608f48ea76e4bc11d20acc33 -
Trigger Event:
push
-
Statement type: