Python Client Overview

sigstore is a Python tool for generating and verifying Sigstore signatures. You can use it to sign and verify Python package distributions, or anything else!

Full project documentation can be found in the sigstore-python project README and our API documentation.

Features

Installation

Language client Installation

sigstore requires Python 3.9 or newer, and can be installed directly via pip:

python -m pip install sigstore

Optionally, you can install sigstore and all its dependencies with hash-checking mode enabled. Learn more about it in the project documentation.

GitHub Action Installation

You can install the official sigstore-python GitHub Action from the GitHub Marketplace.

You can also manually add the sigstore-python action to your CI:

jobs:
  sigstore-python:
    steps:
      - uses: sigstore/gh-action-sigstore-python@v3.0.0
        with:
          inputs: foo.txt

Example

Signing example

For this example, we will sign a a file named foo.txt. sigstore will use OpenID Connect (OIDC) to verify your email address.

Use the following command to sign foo.txt:

sigstore sign foo.txt

This will produce foo.txt.sigstore.json for subsequent verification.

Verifying example

To verify the signature on foo.txt run the following command:

sigstore verify identity foo.txt \
--cert-identity 'my_email@example.com' \
--cert-oidc-issuer 'oidc_issuer_URL'

Additional use cases

Additional use cases can be found in the sigstore-python project README.