sigstore-protobuf-specs

0.5.1 verified Mon Apr 27 auth: no python

A library for serializing and deserializing Sigstore messages (e.g., Bundle, DSSE, Envelope). Published as a Python package at version 0.5.1, maintained by the Sigstore project. Requires Python >=3.8. Release cadence is irregular, tied to upstream protobuf spec changes.

pip install sigstore-protobuf-specs

Common errors

error ImportError: cannot import name 'Bundle' from 'sigstore_protobuf_specs.sigstore.bundle' ↓

cause Import path changed in 0.3.0; missing 'dev' and version subpackage.

fix

Use: from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle

error ModuleNotFoundError: No module named 'sigstore_protobuf_specs.dev' ↓

cause Installed version is older than 0.3.0 (e.g., 0.2.x). The 'dev' subpackage did not exist.

fix

Upgrade the package: pip install --upgrade sigstore-protobuf-specs

error TypeError: Can't instantiate abstract class Envelope with abstract methods... ↓

cause Envelope is an abstract class in some protobuf versions; must use concrete subclass like DSSEEnvelope or instantiate properly.

fix

Use correct concrete class: from sigstore_protobuf_specs.dev.sigstore.dsse import Envelope (assuming it's concrete). Otherwise, check documentation for proper usage.

Warnings

breaking Import paths changed in version 0.3.0: all protobuf messages are now under 'sigstore_protobuf_specs.dev.sigstore.*' with versioned subpackages (e.g., v1). ↓

fix Update imports to include 'dev' and version subpackage, e.g., 'from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle'.

gotcha The package only provides protobuf message classes (serialization/deserialization). It does NOT include Sigstore verification or signing logic. Users often mistakenly import this for operational tasks. ↓

fix For signing/verification, use the 'sigstore' package. This package is for low-level protobuf object manipulation.

deprecated Direct import from 'sigstore_protobuf_specs.sigstore.*' (without 'dev') was deprecated in 0.3.0 and removed in 0.4.0. ↓

fix Use the full path with 'dev.sigstore....'.

Imports

Bundle

wrong

from sigstore_protobuf_specs.bundle import Bundle

correct

from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle

Corrent path includes dev.sigstore.bundle.v1; wrong omits versioned subpackage.

DSSEEnvelope

wrong

from sigstore_protobuf_specs.dsse import Envelope

correct

from sigstore_protobuf_specs.dev.sigstore.dsse import Envelope

Same versioned path issue; DSSE Envelope is under dev.sigstore.dsse.

HashAlgorithm

from sigstore_protobuf_specs.dev.sigstore.common.v1 import HashAlgorithm

Common types also under versioned v1 subpackage.

Quickstart

Creates an empty Sigstore Bundle message using the official protobuf generated class.

from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle

# Create an empty bundle
bundle = Bundle()
print(bundle)