{"id":34109574,"url":"https://github.com/opensecurity/sigmate-py","last_synced_at":"2026-04-05T18:32:14.465Z","repository":{"id":314954387,"uuid":"1056247397","full_name":"opensecurity/sigmate-py","owner":"opensecurity","description":"Modern CLI for fast, auditable file signing \u0026 verification","archived":false,"fork":false,"pushed_at":"2025-09-13T17:28:32.000Z","size":72,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-15T21:44:57.344Z","etag":null,"topics":["checksums","ed25519","sbom"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opensecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-13T17:28:03.000Z","updated_at":"2025-09-15T19:12:45.000Z","dependencies_parsed_at":"2025-09-15T21:44:58.694Z","dependency_job_id":"efcc5f5b-4539-46ff-a34d-690c0ed89752","html_url":"https://github.com/opensecurity/sigmate-py","commit_stats":null,"previous_names":["opensecurity/sigmate-py"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/opensecurity/sigmate-py","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensecurity%2Fsigmate-py","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensecurity%2Fsigmate-py/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensecurity%2Fsigmate-py/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensecurity%2Fsigmate-py/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opensecurity","download_url":"https://codeload.github.com/opensecurity/sigmate-py/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensecurity%2Fsigmate-py/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31446524,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T15:22:31.103Z","status":"ssl_error","status_checked_at":"2026-04-05T15:22:00.205Z","response_time":75,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["checksums","ed25519","sbom"],"created_at":"2025-12-14T18:34:32.540Z","updated_at":"2026-04-05T18:32:14.461Z","avatar_url":"https://github.com/opensecurity.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n \u003ca href=\"https://github.com/opensecurity/sigmate-py\"\u003e\n \u003c/a\u003e\n \u003ch1 align=\"center\"\u003esigmate\u003c/h1\u003e\n \u003cp align=\"center\"\u003e\n A modern, developer-focused CLI for cryptographic file signing and verification.\n \u003cbr /\u003e\n \u003ca href=\"#-key-features\"\u003e\u003cstrong\u003eExplore the features »\u003c/strong\u003e\u003c/a\u003e\n \u003cbr /\u003e\n \u003cbr /\u003e\n \u003ca href=\"https://github.com/opensecurity/sigmate-py/issues/new?template=bug_report.md\"\u003eReport Bug\u003c/a\u003e\n ·\n \u003ca href=\"https://github.com/opensecurity/sigmate-py/issues/new?template=feature_request.md\"\u003eRequest Feature\u003c/a\u003e\n \u003c/p\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"https://img.shields.io/pypi/v/sigmate.svg?style=for-the-badge\u0026logo=pypi\u0026color=blue\" alt=\"PyPI Version\"\u003e\n \u003cimg src=\"https://img.shields.io/github/license/opensecurity/sigmate?style=for-the-badge\u0026color=blue\" alt=\"License\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/code%20style-black-000000.svg?style=for-the-badge\" alt=\"Code Style: Black\"\u003e\n\u003c/div\u003e\n\n---\n\n## About The Project\n\n**`sigmate`** provides a fast, understandable, and secure workflow for signing and verifying files. Built for developers, release managers, and security teams, it replaces the complex and often opaque processes of tools like GPG with a streamlined, modern alternative based on Ed25519 cryptography.\n\nThe core philosophy is simple: signing should be easy, verification should be trustworthy, and the metadata accompanying a signature should be as valuable as the signature itself. `sigmate` generates structured, auditable artifacts that integrate seamlessly into CI/CD pipelines and supply chain security workflows.\n\n### Why sigmate?\n\n* **Developer-Focused:** Simple, intuitive commands and a configuration model that feels familiar.\n* **Transparent \u0026 Auditable:** Generates human-readable JSON metadata and CycloneDX-compatible SBOMs alongside raw signatures.\n* **Modern Cryptography:** Uses the fast and secure Ed25519 signature algorithm by default.\n* **Decoupled Trust:** Manages a local \"keyring\" for convenience and a separate \"trust store\" for auditable policy, preventing accidental trust and enhancing security.\n\n---\n\n## 🚀 Getting Started\n\n### Prerequisites\n\n* Python 3.10+\n* `pip` and `pipx` (recommended)\n\n### Installation\n\nThe recommended way to install `sigmate` is using `pip`, which ensures the tool and its dependencies are isolated from other Python projects.\n\n```bash\npipx install sigmate\n````\n\nAlternatively, for development:\n\n```bash\n# Clone the repository\ngit clone https://github.com/opensecurity/sigmate-py.git\ncd sigmate\n\n# Install with Poetry\npoetry install\n```\n\n### First-Time Configuration\n\nBefore you start signing, run the interactive `configure` command to set up your default identity and key paths. This is a one-time setup.\n\n```bash\nsigmate configure\n```\n\nThis will prompt you for:\n\n1. **Your default private key** used for signing.\n2. **Your default signer identity** (it will try to detect this from your git configuration).\n3. The location of your **public key keyring**, where keys of other trusted signers will be stored.\n\n-----\n\n## Core Concepts\n\n`sigmate` manages four key artifacts:\n\n| Artifact | Location (Default) | Purpose |\n| ------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------- |\n| **Signature** (`.sig`) | `./signatures/` | The raw, binary Ed25519 signature. Provides cryptographic proof of authenticity. |\n| **Metadata** (`.meta.json`) | `./signatures/sigmate.meta.json` | A JSON \"receipt\" for each signing operation, detailing who, what, when, and how. |\n| **Keyring** | `~/.config/sigmate/keys/` | A directory of named `.pub` files for trusted public keys, used for convenient verification. |\n| **Trust Store** | `~/.config/sigmate/trusted_...json` | An audit log of which key fingerprints are trusted, by whom, and with what status. |\n\n-----\n\n## Usage\n\n### 1. Signing Files\n\nThe `sign` command generates cryptographic signatures and metadata for your files.\n\n```bash\n# Sign an entire directory, creating both .sig and .meta.json files\nsigmate sign --walk ./my-project --both\n\n# Sign a single file with an expiration of 72 hours\nsigmate sign --file ./release.zip --expires-in 72 --both\n\n# Sign files and generate a CycloneDX SBOM for supply chain security\nsigmate sign --walk ./app --both --sbom\n```\n\n### 2. Trusting Other Signers\n\nBefore you can verify a signature from someone else, you must explicitly add their public key to your keyring and trust store.\n\n```bash\n# Add Alice's public key, give it the name \"alice\", and record that you added it\nsigmate trust add /path/to/alice.pem --name alice --added-by \"Your Name\"\n\n# Later, update the status of Alice's key to 'verified' after vetting her identity\nsigmate trust update \u003calice_fingerprint\u003e --status verified --updated-by \"Your Name\"\n```\n\n### 3. Verifying Signatures\n\nThe `verify` command checks the integrity and authenticity of files.\n\n```bash\n# Verify a directory using the key of a trusted signer from your keyring\nsigmate verify --walk ./downloaded-project --signer alice\n\n# Verify a single file using a specific public key file\nsigmate verify --file important.dat --key /path/to/key.pem\n\n# Get a machine-readable JSON report of the verification\nsigmate verify --walk ./app --signer alice --json\n```\n\n-----\n\n## Command Reference\n\n### `sigmate sign`\n\n * **Target:** Specify files with `\u003cpath\u003e`, `--walk \u003cdir\u003e`, or `--list \u003cfile\u003e`.\n * **Output Types:**\n * `--raw`: Creates individual `.sig` files.\n * `--meta`: Creates a central `sigmate.meta.json`.\n * `--both`: Creates both raw and meta artifacts.\n * **Key Options:**\n * `--key \u003cpath\u003e`: Path to the private key (overrides configured default).\n * `--identity \"Name \u003cemail\u003e\"`: Signer identity (overrides configured default).\n * `--output \u003cdir\u003e`: Specify a custom output directory for artifacts.\n * `--no-abspath`: Store relative paths in metadata for portability.\n\n### `sigmate verify`\n\n * **Target:** Specify files with `\u003cpath\u003e`, `--walk \u003cdir\u003e`, or `--list \u003cfile\u003e`.\n * **Key Source (choose one):**\n * `--key \u003cpath\u003e`: Use a public key from a specific file path.\n * `--signer \u003cname\u003e`: Use a public key from your keyring by its trusted name.\n * **Key Options:**\n * `--require-trusted`: Fail verification if the signer's key is not marked as 'verified' in the trust store.\n * `--sig-type [raw|meta|auto]`: Specify which signature artifact to use.\n * `--json`: Output a machine-readable JSON report.\n\n### `sigmate trust`\n\n * `add \u003ckeyfile\u003e --name \u003calias\u003e`: Adds a key to the trust store and keyring.\n * `list`: Shows all keys in the trust store.\n * `update \u003cfingerprint\u003e --status \u003cstatus\u003e`: Changes the verification status of a key (e.g., to `verified` or `revoked`).\n * `remove \u003cfingerprint\u003e`: Removes a key from the trust store.\n\n### `sigmate configure`\n\n * Run interactively to set up default configuration values (private key, identity, keyring path).\n * Run with arguments (`--private-key-path ...`) to set values non-interactively for scripting.\n\n### `sigmate clean`\n\n * `clean`: Removes default artifacts (`./signatures/`, checksum files) from the current directory.\n * `clean \u003cpath\u003e`: Removes all contents of a specified artifact directory.\n\n-----\n\n## Contributing\n\nContributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are **greatly appreciated**.\n\nPlease see the `CONTRIBUTING.md` file for details on our code of conduct, and the process for submitting pull requests to us.\n\n## License\n\nDistributed under the MIT License. See `LICENSE` for more information.\n\n## Authors\nLucian BLETAN --\u003e Init python project\n\n## Sigmate rust lang\n[sigmate](https://github.com/opensecurity/sigmate)\n\n## Contact\n\nProject Link: [sigmate-py](https://github.com/opensecurity/sigmate-py)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensecurity%2Fsigmate-py","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopensecurity%2Fsigmate-py","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensecurity%2Fsigmate-py/lists"}