{"id":20927,"library":"ansible-sign","title":"ansible-sign","description":"Ansible content validation library and CLI for signing and verifying Ansible content (collections, roles, playbooks) using GPG and Sigstore. Current version 0.1.5, pre-1.0 release in active development, no fixed release cadence.","status":"active","version":"0.1.5","language":"python","source_language":"en","source_url":"https://github.com/ansible/ansible-sign","tags":["ansible","signing","verification","gpg","sigstore","content-validation"],"install":[{"cmd":"pip install ansible-sign","lang":"bash","label":"pip install"}],"dependencies":[{"reason":"crypto operations for GPG and Sigstore","package":"cryptography","optional":false},{"reason":"version parsing","package":"packaging","optional":false},{"reason":"YAML parsing","package":"pyyaml","optional":false},{"reason":"Sigstore signing/verification","package":"sigstore","optional":false},{"reason":"GPG signing/verification","package":"gnupg","optional":false}],"imports":[{"note":"Core class is re-exported at package level in 0.1.0+; old path no longer works.","wrong":"from ansible_sign.core import AnsibleSign","symbol":"AnsibleSign","correct":"from ansible_sign import AnsibleSign"}],"quickstart":{"code":"from ansible_sign import AnsibleSign\nsigner = AnsibleSign()\n# Sign a collection (requires GPG key in environment)\nsigner.sign_collection('mycollection-1.0.0.tar.gz', keyid='YOUR_GPG_KEY')\n# Verify a signature\nresult = signer.verify_collection('mycollection-1.0.0.tar.gz.asc')\nprint(result.valid)","lang":"python","description":"Basic usage: sign and verify an Ansible collection tarball using GPG. Requires GPG key to be set up."},"warnings":[{"fix":"Use from ansible_sign import AnsibleSign instead of from ansible_sign.core import AnsibleSign.","message":"Prior to 0.1.0, the import path was ansible_sign.core; in 0.1.0+ the main class AnsibleSign is exported from the package root. Old imports will break.","severity":"breaking","affected_versions":"< 0.1.0 -> >= 0.1.0"},{"fix":"Always pass backend='gpg' or backend='sigstore' to signing/verification methods to ensure expected behavior.","message":"Backend ('gpg' vs 'sigstore') must be specified explicitly in some methods; default may not be consistent across all operations.","severity":"gotcha","affected_versions":"all"},{"fix":"Install GPG via system package manager (e.g., sudo apt install gnupg) before using GPG backend.","message":"GPG operations require the gnupg Python library and a GPG executable to be installed on the system. Missing gpg binary leads to cryptic errors.","severity":"gotcha","affected_versions":"all"},{"fix":"Use 'ansible-sign --help' to see current CLI structure; plan to migrate to new subcommand structure if introduced.","message":"The CLI command 'ansible-sign sign' and 'ansible-sign verify' are still present but may be replaced in future with subcommands under 'ansible-sign collection'.","severity":"deprecated","affected_versions":"<= 0.1.5"}],"env_vars":null,"last_verified":"2026-04-27T00:00:00.000Z","next_check":"2026-07-26T00:00:00.000Z","problems":[{"fix":"Upgrade ansible-sign to >=0.1.0 and use 'from ansible_sign import AnsibleSign'.","cause":"Old version <0.1.0 did not re-export the class; updating broke imports.","error":"AttributeError: module 'ansible_sign' has no attribute 'AnsibleSign'"},{"fix":"Install GPG: 'sudo apt install gnupg' (Debian/Ubuntu) or 'brew install gnupg' (macOS).","cause":"gpg executable not installed on system.","error":"gnupg.errors: Unable to run gpg: [Errno 2] No such file or directory"},{"fix":"Update ansible-sign to latest version; if not available, pin cryptography < 41.0.0.","cause":"Dependency cryptography library has deprecated certain functions used by ansible-sign's GPG backend.","error":"CryptographyDeprecationWarning: ..."}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}