- Notifications
You must be signed in to change notification settings - Fork58
A Sigstore client written in Python
License
NotificationsYou must be signed in to change notification settings
sigstore/sigstore-python
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
sigstore is a Python tool for generating and verifying Sigstore signatures.You can use it to sign and verify Python package distributions, or anythingelse!
- Features
- Installation
- Usage
- Documentation
- Licensing
- Community
- Contributing
- Code of Conduct
- Security
- SLSA Provenance
- Support for keyless signature generation and verification withSigstore
- Support for signing with"ambient" OpenID Connect identities
- A comprehensiveCLI and correspondingimportable Python API
sigstore requires Python 3.9 or newer, and can be installed directly viapip:
python -m pip install sigstoreSee theinstallation page in the documentation for moreinstallation options.
For Python API usage, see ourAPI.
You can runsigstore as a standalone program:
sigstore --helpTop-level:
usage: sigstore [-h] [-v] [-V] [--staging | --trust-config FILE] COMMAND ...a tool for signing and verifying Python package distributionspositional arguments: COMMAND the operation to perform attest sign one or more inputs using DSSE sign sign one or more inputs verify verify one or more inputs get-identity-token retrieve and return a Sigstore-compatible OpenID Connect token plumbing developer-only plumbing operationsoptional arguments: -h, --help show this help message and exit -v, --verbose run with additional debug logging; supply multiple times to increase verbosity (default: 0) -V, --version show program's version number and exit --staging Use sigstore's staging instances, instead of the default production instances (default: False) --trust-config FILE The client trust configuration to use (default: None)usage: sigstore sign [-h] [-v] [--identity-token TOKEN] [--oidc-client-id ID] [--oidc-client-secret SECRET] [--oidc-disable-ambient-providers] [--oidc-issuer URL] [--oauth-force-oob] [--no-default-files] [--signature FILE] [--certificate FILE] [--bundle FILE] [--output-directory DIR] [--overwrite] FILE [FILE ...]positional arguments: FILE The file to signoptional arguments: -h, --help show this help message and exit -v, --verbose run with additional debug logging; supply multiple times to increase verbosity (default: 0)OpenID Connect options: --identity-token TOKEN the OIDC identity token to use (default: None) --oidc-client-id ID The custom OpenID Connect client ID to use during OAuth2 (default: sigstore) --oidc-client-secret SECRET The custom OpenID Connect client secret to use during OAuth2 (default: None) --oidc-disable-ambient-providers Disable ambient OpenID Connect credential detection (e.g. on GitHub Actions) (default: False) --oidc-issuer URL The OpenID Connect issuer to use (default: None) --oauth-force-oob Force an out-of-band OAuth flow and do not automatically start the default web browser (default: False)Output options: --no-default-files Don't emit the default output files ({input}.sigstore.json) (default: False) --signature FILE, --output-signature FILE Write a single signature to the given file; does not work with multiple input files (default: None) --certificate FILE, --output-certificate FILE Write a single certificate to the given file; does not work with multiple input files (default: None) --bundle FILE Write a single Sigstore bundle to the given file; does not work with multiple input files (default: None) --output-directory DIR Write default outputs to the given directory (conflicts with --signature, --certificate, --bundle) (default: None) --overwrite Overwrite preexisting signature and certificate outputs, if present (default: False)usage: sigstore attest [-h] [-v] --predicate FILE --predicate-type TYPE [--identity-token TOKEN] [--oidc-client-id ID] [--oidc-client-secret SECRET] [--oidc-disable-ambient-providers] [--oidc-issuer URL] [--oauth-force-oob] [--bundle FILE] [--overwrite] FILE [FILE ...]positional arguments: FILE The file to signoptional arguments: -h, --help show this help message and exit -v, --verbose run with additional debug logging; supply multiple times to increase verbosity (default: 0)DSSE options: --predicate FILE Path to the predicate file (default: None) --predicate-type TYPE Specify a predicate type (https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1) (default: None)OpenID Connect options: --identity-token TOKEN the OIDC identity token to use (default: None) --oidc-client-id ID The custom OpenID Connect client ID to use during OAuth2 (default: sigstore) --oidc-client-secret SECRET The custom OpenID Connect client secret to use during OAuth2 (default: None) --oidc-disable-ambient-providers Disable ambient OpenID Connect credential detection (e.g. on GitHub Actions) (default: False) --oidc-issuer URL The OpenID Connect issuer to use (default: None) --oauth-force-oob Force an out-of-band OAuth flow and do not automatically start the default web browser (default: False)Output options: --bundle FILE Write a single Sigstore bundle to the given file; does not work with multiple input files (default: None) --overwrite Overwrite preexisting bundle outputs, if present (default: False)usage: sigstore verify identity [-h] [-v] [--certificate FILE] [--signature FILE] [--bundle FILE] [--offline] --cert-identity IDENTITY --cert-oidc-issuer URL FILE_OR_DIGEST [FILE_OR_DIGEST ...]optional arguments: -h, --help show this help message and exit -v, --verbose run with additional debug logging; supply multiple times to increase verbosity (default: 0)Verification inputs: --certificate FILE, --cert FILE The PEM-encoded certificate to verify against; not used with multiple inputs (default: None) --signature FILE The signature to verify against; not used with multiple inputs (default: None) --bundle FILE The Sigstore bundle to verify with; not used with multiple inputs (default: None) FILE_OR_DIGEST The file path or the digest to verify. The digest should start with the 'sha256:' prefix.Verification options: --offline Perform offline verification; requires a Sigstore bundle (default: False) --cert-identity IDENTITY The identity to check for in the certificate's Subject Alternative Name (default: None) --cert-oidc-issuer URL The OIDC issuer URL to check for in the certificate's OIDC issuer extension (default: None)usage: sigstore verify github [-h] [-v] [--certificate FILE] [--signature FILE] [--bundle FILE] [--offline] [--cert-identity IDENTITY] [--trigger EVENT] [--sha SHA] [--name NAME] [--repository REPO] [--ref REF] FILE_OR_DIGEST [FILE_OR_DIGEST ...]optional arguments: -h, --help show this help message and exit -v, --verbose run with additional debug logging; supply multiple times to increase verbosity (default: 0)Verification inputs: --certificate FILE, --cert FILE The PEM-encoded certificate to verify against; not used with multiple inputs (default: None) --signature FILE The signature to verify against; not used with multiple inputs (default: None) --bundle FILE The Sigstore bundle to verify with; not used with multiple inputs (default: None) FILE_OR_DIGEST The file path or the digest to verify. The digest should start with the 'sha256:' prefix.Verification options: --offline Perform offline verification; requires a Sigstore bundle (default: False) --cert-identity IDENTITY The identity to check for in the certificate's Subject Alternative Name (default: None) --trigger EVENT The GitHub Actions event name that triggered the workflow (default: None) --sha SHA The `git` commit SHA that the workflow run was invoked with (default: None) --name NAME The name of the workflow that was triggered (default: None) --repository REPO The repository slug that the workflow was triggered under (default: None) --ref REF The `git` ref that the workflow was invoked with (default: None)sigstore documentation is available onhttps://sigstore.github.io/sigstore-python
sigstore is licensed under the Apache 2.0 License.
sigstore-python is developed as part of theSigstore project.
We also use aSlack channel!Clickhere for the invite link.
Seethe contributing docs for details.
Everyone interacting with this project is expected to follow thesigstore Code of Conduct.
Should you discover any security issues, please refer to sigstore'ssecurityprocess.
About
A Sigstore client written in Python
Topics
Resources
License
Code of conduct
Security policy
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Uh oh!
There was an error while loading.Please reload this page.