Announcing the 1.0 release of sigstore-python


The sigstore-python project began 1 year ago in January 2022 with the goal of providing a Sigstore-compatible client similar to cosign, but built entirely with Python and easily adoptable by the Python ecosystem.

Today, thanks to the support of the community and work of 18 unique contributors, we’re excited to announce a usable and reference-quality 1.0 stable release of that client, which includes an importable Python API as well as a fully functional CLI. This means that users can now reliably and easily integrate with Sigstore via the sigstore-python client from Python.

The sigstore Python client is not just for signing Python things! It’s a fully featured, general-use way to interact with the public good instance of Sigstore (or other instances) and has the following features:

  • Signing and verifying arbitrary files and blobs with any Sigstore-supported identity
  • Ambient identity detection for GitHub Actions and Google Cloud Platform environments
  • Easy installation from PyPI

The client is already in use by some early adopters, for example, the latest releases of CPython itself are signed with it, and it can be used for verification of CPython releases as well.

The release of a fully native and idiomatic Python client is the first step towards bringing Sigstore to the Python community. We have much additional work to do to make integrity via Sigstore widely available to all Python users.

Head over to the Trail of Bits blog to learn more about the library and their work on the 1.0 release. You can also install from PyPI, read the API documentation, star us on GitHub, or find us in the #python channel of the Sigstore slack. We look forward to hearing from you!