Python Client Overview
sigstore
is a Python tool for generating and verifying Sigstore signatures. You can use it to sign and verify Python package distributions, or anything else!
Full project documentation can be found in the sigstore-python project README and our API documentation.
Features
- Support for keyless signature generation and verification with Sigstore
- Support for signing with “ambient” OpenID Connect identities
- A comprehensive CLI and corresponding importable Python API
- An official GitHub Action
Installation
Language client Installation
sigstore
requires Python 3.9 or newer, and can be installed directly via pip
:
python -m pip install sigstore
Optionally, you can install sigstore
and all its dependencies with hash-checking mode enabled. Learn more about it in the project documentation.
GitHub Action Installation
You can install the official sigstore-python GitHub Action from the GitHub Marketplace.
You can also manually add the sigstore-python action to your CI:
jobs:
sigstore-python:
steps:
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: foo.txt
Example
Signing example
For this example, we will sign a a file named foo.txt
. sigstore
will use OpenID Connect (OIDC) to verify your email address.
Use the following command to sign foo.txt
:
sigstore sign foo.txt
This will produce foo.txt.sigstore.json
for subsequent verification.
Verifying example
To verify the signature on foo.txt
run the following command:
sigstore verify identity foo.txt \
--cert-identity 'my_email@example.com' \
--cert-oidc-issuer 'oidc_issuer_URL'
Additional use cases
Additional use cases can be found in the sigstore-python project README.