sigstore-python

⚠️ This project is not ready for general-purpose use! ⚠️

sigstore is a tool for signing and verifying Python package distributions.

Features

• Support for signing Python package distributions using an OpenID Connect identity
• Support for publishing signatures to a Rekor instance
• Support for verifying signatures on Python package distributions

Installation

sigstore requires Python 3.7 or newer, and can be installed directly via pip:

python -m pip install sigstore

Usage

You can run sigstore as a standalone program, or via python -m:

sigstore --help
python -m sigstore --help

Top-level:

Usage: sigstore [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  sign
  verify

Signing:

Usage: sigstore sign [OPTIONS] FILE [FILE ...]

Options:
  --identity-token TEXT
  --ctfe FILENAME
  --help                 Show this message and exit.

Verifying

Usage: sigstore verify [OPTIONS] FILE [FILE ...]

Options:
  --cert FILENAME       [required]
  --signature FILENAME  [required]
  --cert-email TEXT
  --help                Show this message and exit.

Licensing

sigstore is licensed under the Apache 2.0 License.

Contributing

See the contributing docs for details.

Code of Conduct

Everyone interacting with this project is expected to follow the sigstore Code of Conduct.

Security

Should you discover any security issues, please refer to sigstore's security process.

Info

sigstore-python is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.