{"id":22369,"library":"sigstore-protobuf-specs","title":"sigstore-protobuf-specs","description":"A library for serializing and deserializing Sigstore messages (e.g., Bundle, DSSE, Envelope). Published as a Python package at version 0.5.1, maintained by the Sigstore project. Requires Python >=3.8. Release cadence is irregular, tied to upstream protobuf spec changes.","status":"active","version":"0.5.1","language":"python","source_language":"en","source_url":"https://github.com/sigstore/protobuf-specs","tags":["sigstore","protobuf","signing","verification","supply-chain-security"],"install":[{"cmd":"pip install sigstore-protobuf-specs","lang":"bash","label":"Install from PyPI"}],"dependencies":[{"reason":"Runtime dependency for protobuf message types.","package":"protobuf","optional":false}],"imports":[{"note":"Corrent path includes dev.sigstore.bundle.v1; wrong omits versioned subpackage.","wrong":"from sigstore_protobuf_specs.bundle import Bundle","symbol":"Bundle","correct":"from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle"},{"note":"Same versioned path issue; DSSE Envelope is under dev.sigstore.dsse.","wrong":"from sigstore_protobuf_specs.dsse import Envelope","symbol":"DSSEEnvelope","correct":"from sigstore_protobuf_specs.dev.sigstore.dsse import Envelope"},{"note":"Common types also under versioned v1 subpackage.","wrong":null,"symbol":"HashAlgorithm","correct":"from sigstore_protobuf_specs.dev.sigstore.common.v1 import HashAlgorithm"}],"quickstart":{"code":"from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle\n\n# Create an empty bundle\nbundle = Bundle()\nprint(bundle)\n","lang":"python","description":"Creates an empty Sigstore Bundle message using the official protobuf generated class."},"warnings":[{"fix":"Update imports to include 'dev' and version subpackage, e.g., 'from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle'.","message":"Import paths changed in version 0.3.0: all protobuf messages are now under 'sigstore_protobuf_specs.dev.sigstore.*' with versioned subpackages (e.g., v1).","severity":"breaking","affected_versions":">=0.3.0"},{"fix":"For signing/verification, use the 'sigstore' package. This package is for low-level protobuf object manipulation.","message":"The package only provides protobuf message classes (serialization/deserialization). It does NOT include Sigstore verification or signing logic. Users often mistakenly import this for operational tasks.","severity":"gotcha","affected_versions":"all"},{"fix":"Use the full path with 'dev.sigstore....'.","message":"Direct import from 'sigstore_protobuf_specs.sigstore.*' (without 'dev') was deprecated in 0.3.0 and removed in 0.4.0.","severity":"deprecated","affected_versions":">=0.4.0"}],"env_vars":null,"last_verified":"2026-04-27T00:00:00.000Z","next_check":"2026-07-26T00:00:00.000Z","problems":[{"fix":"Use: from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle","cause":"Import path changed in 0.3.0; missing 'dev' and version subpackage.","error":"ImportError: cannot import name 'Bundle' from 'sigstore_protobuf_specs.sigstore.bundle'"},{"fix":"Upgrade the package: pip install --upgrade sigstore-protobuf-specs","cause":"Installed version is older than 0.3.0 (e.g., 0.2.x). The 'dev' subpackage did not exist.","error":"ModuleNotFoundError: No module named 'sigstore_protobuf_specs.dev'"},{"fix":"Use correct concrete class: from sigstore_protobuf_specs.dev.sigstore.dsse import Envelope (assuming it's concrete). Otherwise, check documentation for proper usage.","cause":"Envelope is an abstract class in some protobuf versions; must use concrete subclass like DSSEEnvelope or instantiate properly.","error":"TypeError: Can't instantiate abstract class Envelope with abstract methods..."}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}