sigstore-python
Definition
Sigstore-python is a Python client library for Sigstore, a project that provides a set of tools and services to enable the secure signing, verification, and provenance tracking of software artifacts. It leverages transparency logs, certificate authorities, and identity providers to ensure that software artifacts are signed and verified in a secure and auditable manner. Sigstore-python facilitates the integration of these capabilities into Python-based projects, allowing developers to sign and verify packages and other artifacts with ease.
Secure Settings Example
from sigstore import sign
# Securely sign a file with Sigstore
signer = sign.Signer()
signature, certificate = signer.sign_file(
"example-package.tar.gz",
identity_token="YOUR_OIDC_IDENTITY_TOKEN"
)
# Save the signature and certificate
with open("example-package.tar.gz.sig", "wb") as sig_file:
sig_file.write(signature)
with open("example-package.tar.gz.pem", "wb") as cert_file:
cert_file.write(certificate)
Insecure Settings Example
from sigstore import sign
# Insecure signing without identity verification
signer = sign.Signer()
signature, certificate = signer.sign_file(
"example-package.tar.gz",
identity_token=None # Not using an identity token for signing
)
# Save the signature and certificate
with open("example-package.tar.gz.sig", "wb") as sig_file:
sig_file.write(signature)
with open("example-package.tar.gz.pem", "wb") as cert_file:
cert_file.write(certificate)