A tool for signing Python package distributions

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for di from gravatar.com di Avatar for trailofbits from gravatar.com trailofbits Avatar for woodruffw from gravatar.com woodruffw

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License
  • Author: Sigstore Authors
  • Requires: Python >=3.7
Classifiers
Report project as malware

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

Project description

sigstore-python

CI PyPI version

⚠️ This project is not ready for general-purpose use! ⚠️

sigstore is a tool for signing and verifying Python package distributions.

Features

  • Support for signing Python package distributions using an OpenID Connect identity
  • Support for publishing signatures to a Rekor instance
  • Support for verifying signatures on Python package distributions

Installation

sigstore requires Python 3.7 or newer, and can be installed directly via pip:

python -m pip install sigstore

Usage

You can run sigstore as a standalone program, or via python -m:

sigstore --help
python -m sigstore --help

Top-level:

Usage: sigstore [OPTIONS] COMMAND [ARGS]...

Options:
  --version  Show the version and exit.
  --help     Show this message and exit.

Commands:
  sign
  verify

Signing:

Usage: sigstore sign [OPTIONS] FILE [FILE ...]

Options:
  --identity-token TOKEN          the OIDC identity token to use
  --ctfe FILENAME                 A PEM-encoded public key for the CT log
  --oidc-client-id ID             The custom OpenID Connect client ID to use
  --oidc-client-secret SECRET     The custom OpenID Connect client secret to
                                  use
  --oidc-issuer URL               The custom OpenID Connect issuer to use
  --oidc-disable-ambient-providers
                                  Disable ambient OIDC detection (e.g. on
                                  GitHub Actions)
  --help                          Show this message and exit.

Verifying

Usage: sigstore verify [OPTIONS] FILE [FILE ...]

Options:
  --cert FILENAME       [required]
  --signature FILENAME  [required]
  --cert-email TEXT
  --help                Show this message and exit.

Licensing

sigstore is licensed under the Apache 2.0 License.

Contributing

See the contributing docs for details.

Code of Conduct

Everyone interacting with this project is expected to follow the sigstore Code of Conduct.

Security

Should you discover any security issues, please refer to sigstore's security process.

Info

sigstore-python is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for di from gravatar.com di Avatar for trailofbits from gravatar.com trailofbits Avatar for woodruffw from gravatar.com woodruffw

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License
  • Author: Sigstore Authors
  • Requires: Python >=3.7
Classifiers

Release history Release notifications | RSS feed

3.6.2

3.6.1

3.6.0

3.5.3

3.5.1

3.5.0

3.4.0

3.3.0

3.2.0

3.1.0

3.0.0

3.0.0rc2 pre-release

3.0.0rc1 pre-release

2.1.5

2.1.3

2.1.2

2.1.0

2.0.1

2.0.0

2.0.0rc3 pre-release

2.0.0rc2 pre-release

2.0.0rc1 pre-release

1.1.2

1.1.2rc1 pre-release

1.1.1

1.1.1rc1 pre-release

1.1.0

1.0.0

1.0.0rc1 pre-release

0.10.0

0.9.0

0.8.3

0.7.0

0.6.8

0.6.7

0.6.6

0.6.5

0.6.4

0.6.3

0.6.2

0.6.1

0.5.1

0.5.1rc2 pre-release

0.5.1rc1 pre-release

0.5.0

0.4.2 yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs
This version

0.4.1 yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.4.0 yanked

Reason this release was yanked:

Missing submodules

0.3.1 yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.2.0 yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.1.0 yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.0.1rc3 pre-release yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.0.1rc2 pre-release yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

0.0.1rc1 pre-release yanked

Reason this release was yanked:

Incompatible w/ latest Sigstore APIs

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sigstore-0.4.1.tar.gz (23.3 kB view details)

Uploaded Source

Built Distribution

sigstore-0.4.1-py3-none-any.whl (35.1 kB view details)

Uploaded Python 3

File details

Details for the file sigstore-0.4.1.tar.gz.

File metadata

  • Download URL: sigstore-0.4.1.tar.gz
  • Upload date:
  • Size: 23.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.0 CPython/3.9.12

File hashes

Hashes for sigstore-0.4.1.tar.gz
Algorithm Hash digest
SHA256 615255db6bc92453e3e033d1afb025c103f82297f4501db00fc7eb15f160841d
MD5 b0f63451488acd4930ef46b23497df6b
BLAKE2b-256 a247f991392af495216b4bee883d272f37fc630ab70bc24e4a225c930edcb373

See more details on using hashes here.

File details

Details for the file sigstore-0.4.1-py3-none-any.whl.

File metadata

  • Download URL: sigstore-0.4.1-py3-none-any.whl
  • Upload date:
  • Size: 35.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.0 CPython/3.9.12

File hashes

Hashes for sigstore-0.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7469bb605e5c746e31d1b5aa3443a9de45ff14312cbe00ef21415b4c990500d9
MD5 ab9a7030166fae23c802f31ea58369e7
BLAKE2b-256 e4845c3f69c1205292cf6695629f23b9317ffaa18fafda0059d88e0327c48a00

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page