By William Woodruff (Trail of Bits) and Dustin Ingram (Google)
We are delighted to announce the 2.0 release of sigstore-python, a Python client for signing and verifying Sigstore signatures!
$ python -m pip install -U sigstore $ python -m sigstore --version sigstore 2.0.0
This release has been in the works for a while, and contains a number of significant improvements and breaking changes to both the
sigstore CLI and Python APIs.
We’ve also updated the official
sigstore/gh-action-sigstore-python action to use the latest 2.0 release. You can use this action to join the growing ecosystem of projects producing Sigstore signatures through GitHub Actions!
Read on for a summary of our biggest changes, or check out our CHANGELOG for additional details!
- Sigstore’s bundle format is now preferred throughout the CLI, and is the default input and output format! This means that
sigstore sign secret.txtand
sigstore verify identity secret.txtwill now generate or verify
sigstore verifyis no longer a backwards-compatible alias for
sigstore verify identity, as it was in the 1.x series. Users must now invoke
sigstore verify identityor
sigstore verify githubexplicitly.
sigstore get-identity-tokennow support the
--oauth-force-oobflag, providing a CLI option for the pre-existing
Check out our API documentation for additional details, including usage examples!
- sigstore-python’s APIs have been significantly refactored to improve type hygiene. In particular, the
IdentityTokentype has been stabilized and made part of the public interface, replacing many sites where a raw OIDC token was previously passed in.
SignerAPI is now two different APIs:
SigningContext. This change better reflects sigstore-python’s interior lifetimes and allows developers to reuse an ephemeral keypair across multiple inputs, saving unnecessary network round-trips!
- Bundle generation is now exposed as part of the public API:
SigningResult.to_bundle()can now both be used to produce an interoperable Sigstore bundle.
- Our minimum Python version is now 3.8! This keeps us consistent with the broader Python ecosystem, which has considered Python 3.7 EOL since June 2023.
- We now interact with the public trust root a little differently: it now assumes that the trust root contains a trust bundle, rather than falling back to the deprecated individual TUF targets. Additionally, sigstore-python now comes with an initial baked-in copy of the trust bundle, to ease bootstrapping (and offline verification).
We’ve been overjoyed to see both developers and end users join the Sigstore ecosystem through sigstore-python!
As part of this announcement, we wanted to highlight the hard work of Seth Larson (Python Software Foundation) to prepare the CPython release process for sigstore-python 2.0: he backfilled old signatures into the new bundle format and updated the documentation on python.org to be compatible with the newest
sigstore CLI. Thanks, Seth!
This 2.0 release of sigstore-python is filled with internal changes that set us up for new public-facing features and enhancements, including support for Fulcio’s newer claim formats, “full” offline verification support, and additional “plumbing” CLI routines for Sigstore power users.
Many thanks to everybody who contributed to the 2.0 release, with special thanks to Alex Cameron (Trail of Bits), Maya Costantini (Red Hat), Jussi Kukkonen (Google), Jack Leightcap (Trail of Bits), and Andrew Pan (Trail of Bits) for their significant feature contributions!
About the Authors
William Woodruff works at Trail of Bits, a NYC-based cybersecurity consultancy. He splits his time between open source engineering and running the Ecosystem Security group, which is responsible for contributing security and usability improvements to major open source projects. Outside of work, he is a member of the Homebrew project and a contributor to a wide variety of open source projects.
Dustin Ingram is a software engineer on Google’s Open Source Security Team, where he works on improving the security of open-source software that Google & the rest of the world relies on. He’s also a director of the Python Software Foundation, and maintainer of the Python Package Index.