{"id":13725020,"url":"https://github.com/sigstore/sigstore-python","last_synced_at":"2026-01-26T17:25:03.194Z","repository":{"id":37481947,"uuid":"447691086","full_name":"sigstore/sigstore-python","owner":"sigstore","description":"A Sigstore client written in Python","archived":false,"fork":false,"pushed_at":"2025-04-08T20:06:32.000Z","size":2306,"stargazers_count":258,"open_issues_count":35,"forks_count":54,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-04-10T06:49:41.786Z","etag":null,"topics":["codesigning","python","security","supply-chain"],"latest_commit_sha":null,"homepage":"https://pypi.org/p/sigstore","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sigstore.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-13T17:29:37.000Z","updated_at":"2025-04-08T20:06:34.000Z","dependencies_parsed_at":"2023-12-16T22:39:38.394Z","dependency_job_id":"e360db1e-8743-4bb4-9bbe-1ba6f3453e55","html_url":"https://github.com/sigstore/sigstore-python","commit_stats":{"total_commits":853,"total_committers":36,"mean_commits":"23.694444444444443","dds":0.5275498241500587,"last_synced_commit":"cac62e8e611d4286a49ecda7f33d356381ab7919"},"previous_names":["trailofbits/pysign"],"tags_count":60,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fsigstore-python","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fsigstore-python/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fsigstore-python/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fsigstore-python/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sigstore","download_url":"https://codeload.github.com/sigstore/sigstore-python/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248741201,"owners_count":21154255,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["codesigning","python","security","supply-chain"],"created_at":"2024-08-03T01:02:09.970Z","updated_at":"2026-01-26T17:25:00.314Z","avatar_url":"https://github.com/sigstore.png","language":"Python","readme":"sigstore-python\n===============\n\n\u003c!--- @begin-badges@ ---\u003e\n[![CI](https://github.com/sigstore/sigstore-python/workflows/CI/badge.svg)](https://github.com/sigstore/sigstore-python/actions/workflows/ci.yml)\n[![PyPI version](https://badge.fury.io/py/sigstore.svg)](https://pypi.org/project/sigstore)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sigstore/sigstore-python/badge)](https://securityscorecards.dev/viewer/?uri=github.com/sigstore/sigstore-python)\n[![SLSA](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/)\n![Conformance Tests](https://github.com/sigstore/sigstore-python/workflows/Conformance%20Tests/badge.svg)\n[![Documentation](https://github.com/sigstore/sigstore-python/actions/workflows/docs.yml/badge.svg)](https://sigstore.github.io/sigstore-python)\n\u003c!--- @end-badges@ ---\u003e\n\n`sigstore` is a Python tool for generating and verifying Sigstore signatures.\nYou can use it to sign and verify Python package distributions, or anything\nelse!\n\n## Index\n\n* [Features](#features)\n* [Installation](#installation)\n* [Usage](#usage)\n * [Signing](#signing)\n * [Verifying](#verifying)\n * [Generic identities](#generic-identities)\n * [Signatures from GitHub Actions](#signatures-from-github-actions)\n * [Advanced usage](#advanced-usage)\n* [Documentation](#documentation)\n* [Licensing](#licensing)\n* [Community](#community)\n* [Contributing](#contributing)\n* [Code of Conduct](#code-of-conduct)\n* [Security](#security)\n* [SLSA Provenance](#slsa-provenance)\n\n## Features\n\n* Support for keyless signature generation and verification with [Sigstore](https://www.sigstore.dev/)\n* Support for signing with [\"ambient\" OpenID Connect identities](https://github.com/sigstore/sigstore-python#signing-with-ambient-credentials)\n* A comprehensive [CLI](https://github.com/sigstore/sigstore-python#usage) and corresponding\n [importable Python API](https://sigstore.github.io/sigstore-python)\n\n## Installation\n\n`sigstore` requires Python 3.10 or newer, and can be installed directly via `pip`:\n\n```console\npython -m pip install sigstore\n```\n\nSee the [installation](https://sigstore.github.io/sigstore-python/installation) page in the documentation for more\ninstallation options.\n\n## Usage\n\nFor Python API usage, see our [API](https://sigstore.github.io/sigstore-python/api/).\n\nYou can run `sigstore` as a standalone program:\n\n```console\nsigstore --help\n```\n\nTop-level:\n\n\u003c!-- @begin-sigstore-help@ --\u003e\n```\nusage: sigstore [-h] [-v] [-V]\n [--staging | --instance URL | --trust-config FILE]\n COMMAND ...\n\na tool for signing and verifying Python package distributions\n\npositional arguments:\n COMMAND the operation to perform\n attest sign one or more inputs using DSSE\n sign sign one or more inputs\n verify verify one or more inputs\n get-identity-token\n retrieve and return a Sigstore-compatible OpenID\n Connect token\n trust-instance Initialize trust for a Sigstore instance\n plumbing developer-only plumbing operations\n\noptions:\n -h, --help show this help message and exit\n -v, --verbose run with additional debug logging; supply multiple\n times to increase verbosity (default: 0)\n -V, --version show program's version number and exit\n --staging Use sigstore's staging instance, instead of the default\n production instance. Mutually exclusive with other\n instance configuration arguments. (default: False)\n --instance URL Use a given Sigstore instance URL, instead of the\n default production instance. Mutually exclusive with\n other instance configuration arguments. (default: None)\n --trust-config FILE Use given client trust configuration instead of using\n the default production instance. Mutually exclusive\n with other instance configuration arguments. (default:\n None)\n```\n\u003c!-- @end-sigstore-help@ --\u003e\n\n\n### Signing\n\n\u003c!-- @begin-sigstore-sign-help@ --\u003e\n```\nusage: sigstore sign [-h] [-v] [--rekor-version VERSION]\n [--identity-token TOKEN] [--oidc-client-id ID]\n [--oidc-client-secret SECRET]\n [--oidc-disable-ambient-providers] [--oidc-issuer URL]\n [--oauth-force-oob] [--no-default-files]\n [--signature FILE] [--certificate FILE] [--bundle FILE]\n [--output-directory DIR] [--overwrite]\n FILE [FILE ...]\n\npositional arguments:\n FILE The file to sign\n\noptions:\n -h, --help show this help message and exit\n -v, --verbose run with additional debug logging; supply multiple\n times to increase verbosity (default: 0)\n --rekor-version VERSION\n Force the rekor transparency log version. Valid values\n are [1, 2]. By default the highest available version\n is used\n\nOpenID Connect options:\n --identity-token TOKEN\n the OIDC identity token to use (default: None)\n --oidc-client-id ID The custom OpenID Connect client ID to use during\n OAuth2 (default: sigstore)\n --oidc-client-secret SECRET\n The custom OpenID Connect client secret to use during\n OAuth2 (default: None)\n --oidc-disable-ambient-providers\n Disable ambient OpenID Connect credential detection\n (e.g. on GitHub Actions) (default: False)\n --oidc-issuer URL The OpenID Connect issuer to use (default: None)\n --oauth-force-oob Force an out-of-band OAuth flow and do not\n automatically start the default web browser (default:\n False)\n\nOutput options:\n --no-default-files Don't emit the default output files\n ({input}.sigstore.json) (default: False)\n --signature FILE, --output-signature FILE\n Write a single signature to the given file; does not\n work with multiple input files (default: None)\n --certificate FILE, --output-certificate FILE\n Write a single certificate to the given file; does not\n work with multiple input files (default: None)\n --bundle FILE Write a single Sigstore bundle to the given file; does\n not work with multiple input files (default: None)\n --output-directory DIR\n Write default outputs to the given directory\n (conflicts with --signature, --certificate, --bundle)\n (default: None)\n --overwrite Overwrite preexisting signature and certificate\n outputs, if present (default: False)\n```\n\u003c!-- @end-sigstore-sign-help@ --\u003e\n\n\n### Signing with DSSE envelopes\n\n\u003c!-- @begin-sigstore-attest-help@ --\u003e\n```\nusage: sigstore attest [-h] [-v] [--rekor-version VERSION] --predicate FILE\n --predicate-type TYPE [--identity-token TOKEN]\n [--oidc-client-id ID] [--oidc-client-secret SECRET]\n [--oidc-disable-ambient-providers] [--oidc-issuer URL]\n [--oauth-force-oob] [--bundle FILE] [--overwrite]\n FILE [FILE ...]\n\npositional arguments:\n FILE The file to sign\n\noptions:\n -h, --help show this help message and exit\n -v, --verbose run with additional debug logging; supply multiple\n times to increase verbosity (default: 0)\n --rekor-version VERSION\n Force the rekor transparency log version. Valid values\n are [1, 2]. By default the highest available version\n is used\n\nDSSE options:\n --predicate FILE Path to the predicate file (default: None)\n --predicate-type TYPE\n Specify a predicate type\n (https://slsa.dev/provenance/v0.2,\n https://slsa.dev/provenance/v1) (default: None)\n\nOpenID Connect options:\n --identity-token TOKEN\n the OIDC identity token to use (default: None)\n --oidc-client-id ID The custom OpenID Connect client ID to use during\n OAuth2 (default: sigstore)\n --oidc-client-secret SECRET\n The custom OpenID Connect client secret to use during\n OAuth2 (default: None)\n --oidc-disable-ambient-providers\n Disable ambient OpenID Connect credential detection\n (e.g. on GitHub Actions) (default: False)\n --oidc-issuer URL The OpenID Connect issuer to use (default: None)\n --oauth-force-oob Force an out-of-band OAuth flow and do not\n automatically start the default web browser (default:\n False)\n\nOutput options:\n --bundle FILE Write a single Sigstore bundle to the given file; does\n not work with multiple input files (default: None)\n --overwrite Overwrite preexisting bundle outputs, if present\n (default: False)\n```\n\u003c!-- @end-sigstore-attest-help@ --\u003e\n\n### Verifying\n\n#### Identities\n\n\u003c!-- @begin-sigstore-verify-identity-help@ --\u003e\n```\nusage: sigstore verify identity [-h] [-v] [--certificate FILE]\n [--signature FILE] [--bundle FILE] [--offline]\n --cert-identity IDENTITY --cert-oidc-issuer\n URL\n FILE_OR_DIGEST [FILE_OR_DIGEST ...]\n\noptions:\n -h, --help show this help message and exit\n -v, --verbose run with additional debug logging; supply multiple\n times to increase verbosity (default: 0)\n\nVerification inputs:\n --certificate FILE, --cert FILE\n The PEM-encoded certificate to verify against; not\n used with multiple inputs (default: None)\n --signature FILE The signature to verify against; not used with\n multiple inputs (default: None)\n --bundle FILE The Sigstore bundle to verify with; not used with\n multiple inputs (default: None)\n FILE_OR_DIGEST The file path or the digest to verify. The digest\n should start with the 'sha256:' prefix.\n\nVerification options:\n --offline Perform offline verification; requires a Sigstore\n bundle (default: False)\n --cert-identity IDENTITY\n The identity to check for in the certificate's Subject\n Alternative Name (default: None)\n --cert-oidc-issuer URL\n The OIDC issuer URL to check for in the certificate's\n OIDC issuer extension (default: None)\n```\n\u003c!-- @end-sigstore-verify-identity-help@ --\u003e\n\n#### Signatures from GitHub Actions\n\n\u003c!-- @begin-sigstore-verify-github-help@ --\u003e\n```\nusage: sigstore verify github [-h] [-v] [--certificate FILE]\n [--signature FILE] [--bundle FILE] [--offline]\n [--cert-identity IDENTITY] [--trigger EVENT]\n [--sha SHA] [--name NAME] [--repository REPO]\n [--ref REF]\n FILE_OR_DIGEST [FILE_OR_DIGEST ...]\n\noptions:\n -h, --help show this help message and exit\n -v, --verbose run with additional debug logging; supply multiple\n times to increase verbosity (default: 0)\n\nVerification inputs:\n --certificate FILE, --cert FILE\n The PEM-encoded certificate to verify against; not\n used with multiple inputs (default: None)\n --signature FILE The signature to verify against; not used with\n multiple inputs (default: None)\n --bundle FILE The Sigstore bundle to verify with; not used with\n multiple inputs (default: None)\n FILE_OR_DIGEST The file path or the digest to verify. The digest\n should start with the 'sha256:' prefix.\n\nVerification options:\n --offline Perform offline verification; requires a Sigstore\n bundle (default: False)\n --cert-identity IDENTITY\n The identity to check for in the certificate's Subject\n Alternative Name (default: None)\n --trigger EVENT The GitHub Actions event name that triggered the\n workflow (default: None)\n --sha SHA The `git` commit SHA that the workflow run was invoked\n with (default: None)\n --name NAME The name of the workflow that was triggered (default:\n None)\n --repository REPO The repository slug that the workflow was triggered\n under (default: None)\n --ref REF The `git` ref that the workflow was invoked with\n (default: None)\n```\n\u003c!-- @end-sigstore-verify-github-help@ --\u003e\n\n## Documentation\n\n`sigstore` documentation is available on [https://sigstore.github.io/sigstore-python](https://sigstore.github.io/sigstore-python)\n\n## Licensing\n\n`sigstore` is licensed under the Apache 2.0 License.\n\n## Community\n\n`sigstore-python` is developed as part of the [Sigstore](https://sigstore.dev) project.\n\nWe also use a [Slack channel](https://sigstore.slack.com)!\nClick [here](https://join.slack.com/t/sigstore/shared_invite/zt-mhs55zh0-XmY3bcfWn4XEyMqUUutbUQ) for the invite link.\n\n## Contributing\n\nSee [the contributing docs](https://github.com/sigstore/.github/blob/main/CONTRIBUTING.md) for details.\n\n## Code of Conduct\n\nEveryone interacting with this project is expected to follow the\n[sigstore Code of Conduct](https://github.com/sigstore/.github/blob/main/CODE_OF_CONDUCT.md).\n\n## Security\n\nShould you discover any security issues, please refer to sigstore's [security\nprocess](https://github.com/sigstore/.github/blob/main/SECURITY.md).\n","funding_links":[],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Fsigstore-python","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsigstore%2Fsigstore-python","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Fsigstore-python/lists"}