{"id":7708,"library":"securesystemslib","title":"Secure Systems Library","description":"Securesystemslib is a Python library that provides cryptographic and general-purpose routines for Secure Systems Lab projects at NYU. It serves as a cryptography interface for signing and verifying digital signatures, particularly developed for the TUF and in-toto projects. The library is actively maintained, with a recent major focus on a new 'signer' API. Its release cadence is driven by new feature additions, security enhancements, and deprecations related to key management and signing systems.","status":"active","version":"1.3.1","language":"en","source_language":"en","source_url":"https://github.com/secure-systems-lab/securesystemslib","tags":["security","cryptography","signing","TUF","in-toto","ecdsa","ed25519","rsa","signatures"],"install":[{"cmd":"pip install securesystemslib","lang":"bash","label":"Basic installation (pure-Python ed25519 verification)"},{"cmd":"pip install securesystemslib[crypto]","lang":"bash","label":"With RSA, ECDSA, and Ed25519 signing/verification support"},{"cmd":"pip install securesystemslib[sigstore]","lang":"bash","label":"With Sigstore support"}],"dependencies":[{"reason":"Required for RSA, ECDSA key generation and signing. Installed with '[crypto]' extra.","package":"cryptography","optional":true},{"reason":"Required for Ed25519 key generation and signing. Installed with '[crypto]' or '[pynacl]' extra.","package":"PyNaCl","optional":true},{"reason":"Required for Sigstore signing and verification. Installed with '[sigstore]' extra.","package":"sigstore-python","optional":true}],"imports":[{"symbol":"CryptoSigner","correct":"from securesystemslib.signer import CryptoSigner"},{"note":"`SSLibSigner` is deprecated in favor of `CryptoSigner`. Old `interface` functions like `generate_and_write_rsa_keypair` are part of the legacy key API and should be replaced by the `signer` API for modern usage.","wrong":"from securesystemslib.interface import generate_and_write_rsa_keypair","symbol":"SSLibSigner","correct":"from securesystemslib.signer import SSLibSigner"},{"symbol":"Key","correct":"from securesystemslib.signer import Key"}],"quickstart":{"code":"import os\nimport json\nfrom securesystemslib.signer import CryptoSigner, Key\nfrom securesystemslib.formats import encode_canonical_json\n\n# 1. Generate a new key pair using the CryptoSigner (e.g., RSA)\n# In a real scenario, you'd protect the private key with a strong password\n# or use a KMS. For quickstart, we'll use a placeholder password.\n\n# Create a temporary directory for keys\nif not os.path.exists(\"temp_keys\"): os.makedirs(\"temp_keys\")\n\npassphrase = os.environ.get('SECURESYSTEMSLIB_PASSPHRASE', 'secret-password')\n\n# Generate an RSA key pair\nprivate_key_path = os.path.join(\"temp_keys\", \"example_key\")\nsigner = CryptoSigner.generate_and_write_key(private_key_path, keytype=\"rsa\", algorithm=\"rsassa-pss-sha256\", passphrase=passphrase)\n\n# The public key details are part of the signer object\npublic_key = signer.public_key\n\nprint(f\"Generated public key ID: {public_key.keyid}\")\n\n# 2. Prepare some data to sign\ndata_to_sign = {\"message\": \"Hello, securesystemslib!\", \"timestamp\": 1678886400}\ncanonical_data = encode_canonical_json(data_to_sign).encode(\"utf-8\")\n\n# 3. Sign the data\nsignature = signer.sign(canonical_data)\n\nprint(f\"Generated signature: {signature.signature[:20]}...\")\n\n# 4. Verify the signature\n# A Key object can be created from the public_key dictionary\nverifier_key = Key.from_dict(public_key.keyid, public_key.to_dict())\n\n# Verify using the signer and the original data\ntry:\n    CryptoSigner.verify_signature(signature, verifier_key, canonical_data)\n    print(\"Signature verification successful!\")\nexcept Exception as e:\n    print(f\"Signature verification failed: {e}\")\n\n# Clean up temporary files (optional)\nos.remove(private_key_path)\nos.remove(private_key_path + \".pub\")\nos.rmdir(\"temp_keys\")","lang":"python","description":"This quickstart demonstrates how to generate an RSA key pair, sign arbitrary data, and then verify that signature using the recommended `securesystemslib.signer.CryptoSigner` API. The private key is saved locally, and a placeholder passphrase is used for demonstration purposes. In a production environment, private keys should be securely managed, potentially using a Key Management System (KMS)."},"warnings":[{"fix":"Upgrade your Python environment to 3.8 or newer. The library currently supports Python ~=3.8.","message":"Python 3.7 reached End-of-Life on June 27, 2023, and `securesystemslib` officially dropped support for it in version `0.30.0`. Running on Python 3.7 or older will lead to compatibility issues and lack of security updates.","severity":"breaking","affected_versions":">=0.30.0"},{"fix":"Migrate to the `securesystemslib.signer` module and use `CryptoSigner` for key generation, signing, and verification. Use the `migrate_keys` script to convert legacy keys.","message":"The `securesystemslib.keys`, `securesystemslib.ecdsa_keys`, `securesystemslib.rsa_keys`, and `securesystemslib.ed25519_keys` modules, along with `SSLibSigner`, are deprecated in favor of the new `securesystemslib.signer` API, specifically `CryptoSigner`.","severity":"deprecated","affected_versions":">=0.29.0"},{"fix":"Update your code to use stronger hash algorithms like `sha256` or `sha512`.","message":"Support for weak cryptographic hash algorithms `md5` and `sha1` was removed in `securesystemslib` version `0.28.0` due to security concerns. [GitHub release notes]","severity":"breaking","affected_versions":">=0.28.0"},{"fix":"Update your `SigstoreSigner` usage to the new API, specifically `SigstoreSigner.import_via_auth()` for interactive logins. Consult the official documentation for the latest `sigstore-python` integration details.","message":"The `SigstoreSigner` API was adapted to `sigstore-python 2.0` in version `0.30.0`, changing how signing identities are managed, particularly for interactive credential handling.","severity":"breaking","affected_versions":">=0.30.0"},{"fix":"Always ensure appropriate file permissions (e.g., `0o600` or `0o400`) are set for private key files immediately after creation. Prefer using the `signer` API, which generally handles security better, or ensure keys are passphrase-protected.","message":"By default, functions like `securesystemslib.interface.generate_and_write_unencrypted_ed25519_keypair()` (from the legacy API) might create private key files with world-readable permissions, depending on the system's umask. This can expose private keys to other users on a shared system.","severity":"gotcha","affected_versions":"<1.0.0 (and legacy API usage)"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Refactor your code to use the `securesystemslib.signer` API, specifically `CryptoSigner` or other specific signers for your use case.","cause":"Attempting to import a deprecated module (`keys`, `ecdsa_keys`, `rsa_keys`, or `ed25519_keys`). These modules were marked for deprecation in v0.29.0.","error":"ModuleNotFoundError: No module named 'securesystemslib.keys'"},{"fix":"Update your code to use stronger, supported hash algorithms like `sha256` or `sha512`.","cause":"Attempting to use `md5` or `sha1` as a hash algorithm, which were removed in version 0.28.0. [GitHub release notes]","error":"securesystemslib.exceptions.UnsupportedAlgorithmError: md5 is not a supported hash algorithm"},{"fix":"Review the `sigstore-python` documentation and the `securesystemslib` `0.30.0` changelog. The `import_via_auth` method now expects no arguments, or the signature has changed. Adapt your call accordingly.","cause":"Using the old `SigstoreSigner` API with a `sigstore-python` version that expects a different interface, likely due to the breaking change in `securesystemslib v0.30.0` adapting to `sigstore-python 2.0`.","error":"TypeError: SigstoreSigner.import_via_auth() takes 0 positional arguments but 1 was given"},{"fix":"Upgrade your Python installation to version 3.8 or newer to meet the library's minimum requirements.","cause":"Running `securesystemslib` version `0.30.0` or higher on a Python 3.7 environment. Python 3.7 reached EOL and support was dropped.","error":"RuntimeError: Python 3.7 is no longer supported"}]}