sigstore is a tool for signing and verifying Python package distributions.
- Support for signing Python package distributions using an OpenID Connect identity
- Support for publishing signatures to a Rekor instance
- Support for verifying signatures on Python package distributions
sigstore requires Python 3.7 or newer, and can be installed directly via pip:
python -m pip install sigstoreYou can run sigstore as a standalone program, or via python -m:
sigstore --help
python -m sigstore --helpTop-level:
Usage: sigstore [OPTIONS] COMMAND [ARGS]...
Options:
--help Show this message and exit.
Commands:
sign
verify
Signing:
Usage: sigstore sign [OPTIONS] FILE [FILE ...]
Options:
--identity-token TOKEN the OIDC identity token to use
--ctfe FILENAME A PEM-encoded public key for the CT log
--oidc-client-id ID The custom OpenID Connect client ID to use
--oidc-client-secret SECRET The custom OpenID Connect client secret to
use
--oidc-issuer URL The custom OpenID Connect issuer to use
--oidc-disable-ambient-providers
Disable ambient OIDC detection (e.g. on
GitHub Actions)
--help Show this message and exit.
Verifying
Usage: sigstore verify [OPTIONS] FILE [FILE ...]
Options:
--cert FILENAME [required]
--signature FILENAME [required]
--cert-email TEXT
--help Show this message and exit.
sigstore is licensed under the Apache 2.0 License.
See the contributing docs for details.
Everyone interacting with this project is expected to follow the sigstore Code of Conduct.
Should you discover any security issues, please refer to sigstore's security process.
sigstore-python is developed as part of the sigstore project.
We also use a slack channel! Click here for the invite link.