Sigstore has announced the stable 1.0 release of sigstore-python, Sigstore’s Python-compatible client. The client provides a CLI as well as an importable Python API. It is able to sign and verify with any identity supported by Sigstore, and has ambient identity recognition for supported environments.
The Sigstore Python client is not just for signing things in Python! It is a full-featured general-purpose way to interact with the Sigstore public-good instance (or other instances), and has the following features:
- Signing and verifying arbitrary files and blogs with any identity supported by Sigstore
- Detecting a surrounding identity for GitHub Actions and Google Cloud Platform environments
- Easy installation from PyPI
- The client is already being used by some early adopters, for example recent versions of CPython itself are signed with it and it can also be used for CPython version checking.
Woodruff notes that the project is committed to semantic versioning for both the Python API and CLI. They indicate that no breaking changes will be made without a corresponding increase to the base version. In future releases, Woodruff indicates that there will be further integration with PyPI and the client-side packaging toolchain. They also hope to stabilize their GitHub operation.
sigstore-python is open source and available under the Apache 2.0 license. Additional details can be found in the API documentation or in the #python channel on Sigstore Slack.