We are delighted to announce the 2.0 release of sigstore-python, a Python client for signing and verifying Sigstore signatures!
$ python -m pip install -U sigstore
$ python -m sigstore --version
This release has been in the works for a while, and contains a number
of significant improvements and breaking changes to both the
CLI and Python APIs.
We’ve also updated the official
to use the latest 2.0 release. You can use this action to join the
growing ecosystem of projects producing Sigstore signatures through
Read on for a summary of our biggest changes, or check out our CHANGELOG for additional details!
Sigstore’s bundle format is now preferred throughout the CLI, and is the default input and output format! This means that
sigstore sign secret.txtand
sigstore verify identity secret.txtwill now generate or verify
sigstore verifyis no longer a backwards-compatible alias for
sigstore verify identity, as it was in the 1.x series. Users must now invoke
sigstore verify identityor
sigstore verify githubexplicitly.
sigstore get-identity-tokennow support the
--oauth-force-oobflag, providing a CLI option for the pre-existing
Check out our API documentation for additional details, including usage examples!
sigstore-python’s APIs have been significantly refactored to improve type hygiene. In particular, the
IdentityTokentype has been stabilized and made part of the public interface, replacing many sites where a raw OIDC token was previously passed in.
SignerAPI is now two different APIs:
SigningContext. This change better reflects sigstore-python’s interior lifetimes and allows developers to reuse an ephemeral keypair across multiple inputs, saving unnecessary network round-trips!
Bundle generation is now exposed as part of the public API:
SigningResult.to_bundle()can now both be used to produce an interoperable Sigstore bundle.
Our minimum Python version is now 3.8! This keeps us consistent with the broader Python ecosystem, which has considered Python 3.7 EOL since June 2023.
We now interact with the public trust root a little differently: it now assumes that the trust root contains a trust bundle, rather than falling back to the deprecated individual TUF targets. Additionally, sigstore-python now comes with an initial baked-in copy of the trust bundle, to ease bootstrapping (and offline verification).
We’ve been overjoyed to see both developers and end users join the Sigstore ecosystem through sigstore-python!
As part of this announcement, we wanted to highlight the hard work of
Seth Larson (Python Software Foundation) to prepare the CPython release
process for sigstore-python 2.0:
he backfilled old signatures into the new bundle format and updated
the documentation on python.org to be compatible with the newest
CLI. Thanks, Seth!
This 2.0 release of sigstore-python is filled with internal changes that set us up for new public-facing features and enhancements, including support for Fulcio’s newer claim formats, “full” offline verification support, and additional “plumbing” CLI routines for Sigstore power users.
Many thanks to everybody who contributed to the 2.0 release, with special thanks to Alex Cameron (Trail of Bits), Maya Costantini (Red Hat), Jussi Kukkonen (Google), Jack Leightcap (Trail of Bits), and Andrew Pan (Trail of Bits) for their significant feature contributions!