cursive

0.2.3 verified Fri May 01 auth: no python

cursive is an OpenStack library for validating digital signatures, primarily used in Glance and other OpenStack services to verify image signatures. Version 0.2.3 implements OpenStack-specific signature validation. It has a low release cadence, with no recent major updates.

pip install cursive

Common errors

error ModuleNotFoundError: No module named 'castellan' ↓

cause castellan is an optional dependency but required for signature verification with key manager.

fix

Install castellan: pip install castellan

error TypeError: validate_signature() missing 1 required positional argument: 'certificate' ↓

cause The function signature requires three arguments: data, signature, certificate.

fix

Provide all three positional arguments: validate_signature(image_data, signature, certificate)

error cursive.exceptions.SignatureVerificationError: The signature is not valid ↓

cause The provided signature does not match the data or the certificate is incorrect/expired.

fix

Verify that the signature was generated with the private key corresponding to the certificate, and that the data hasn't been modified.

Warnings

gotcha cursive depends on castellan for key management, which is often not installed by default. Without castellan, most validation functions will fail with an import error. ↓

fix Install castellan: pip install castellan

deprecated The function `validate_signature` may be deprecated in favor of `CursiveSignatureVerifier` in future releases. Check documentation for current usage. ↓

fix Use CursiveSignatureVerifier class for forward compatibility.

gotcha Signature validation requires a specific chain of trust: certificate -> intermediate CAs. Cursive does not handle certificate chain building; you must provide the full chain. ↓

fix Ensure the certificate argument includes the complete chain (leaf and intermediates) if needed.

Imports

validate_signature

wrong

import cursive; cursive.validate_signature

correct

from cursive import validate_signature

Function exposed as top-level import.

CursiveSignatureVerifier

wrong

from cursive.signature import CursiveSignatureVerifier

correct

from cursive import CursiveSignatureVerifier

Class is directly under cursive module, not submodule.

Quickstart

Basic signature validation using cursive. Requires a key manager for production.

from cursive import validate_signature

# OpenStack image signature validation
image_data = b'...'  # binary image content
signature = b'...'   # base64 decoded signature
certificate = b'...' # PEM encoded certificate
# Example using a mock key_manager (castellan required for real usage)
# result = validate_signature(image_data, signature, certificate)
# print(result)
print('Signature validation requires OpenStack key management setup.')