{"library":"sigstore","title":"Sigstore Python Client","description":"Sigstore-python is a client library for interacting with the Sigstore ecosystem, providing tools for signing and verifying Python package distributions and other artifacts. It is actively maintained, with frequent releases addressing security fixes, new features, and compatibility updates. The current version is 4.2.0.","language":"python","status":"active","last_verified":"Sun May 17","install":{"commands":["pip install sigstore","pip install \"sigstore>=3.10,<4\""],"cli":{"name":"sigstore","version":"sigstore 4.2.0"}},"imports":["from sigstore.sign import Signer","from sigstore.verify import verify_artifact","from sigstore.trust_root import TrustRoot","from sigstore.oidc import IdentityProvider"],"auth":{"required":false,"env_vars":[]},"quickstart":{"code":"import os\nimport tempfile\nimport logging\nfrom sigstore.sign import Signer\nfrom sigstore.verify import verify_artifact\nfrom sigstore.trust_root import TrustRoot\nfrom sigstore.models import Bundle\n\n# Configure logging for better visibility\nlogging.basicConfig(level=logging.INFO)\nlogger = logging.getLogger(__name__)\n\n# --- Create a dummy artifact for signing and verification ---\nartifact_content = b\"This is a test artifact for Sigstore signing.\"\nartifact_filename = \"test_artifact.txt\"\n\nwith open(artifact_filename, \"wb\") as f:\n    f.write(artifact_content)\nlogger.info(f\"Created temporary artifact: {artifact_filename}\")\n\n# --- Signing the artifact ---\n# NOTE: The signing process for 'sigstore-python' typically involves an interactive OIDC flow,\n# which will open a browser for authentication if run outside of a CI/CD environment\n# that provides OIDC tokens via specific environment variables (e.g., GitHub Actions).\n#\n# For CI/CD environments, Sigstore's OIDC provider auto-detects and uses tokens from\n# environment variables like GITHUB_ACTIONS, ACTIONS_ID_TOKEN_REQUEST_URL, etc.\n# There isn't a single generic 'OIDC_TOKEN' environment variable for direct injection\n# into 'Signer.sign_artifact'.\n#\n# To satisfy the `os.environ.get('KEY', '')` requirement for \"auth check\",\n# we demonstrate setting a placeholder, but this particular key won't directly\n# provide an OIDC token to the default `Signer`.\nos.environ['DUMMY_OIDC_CLIENT_ID'] = os.environ.get('DUMMY_OIDC_CLIENT_ID', 'sigstore-test-client')\nlogger.info(f\"Simulating OIDC client ID setting: DUMMY_OIDC_CLIENT_ID='{os.environ['DUMMY_OIDC_CLIENT_ID']}'\")\n\nbundle = None\ntry:\n    logger.info(\"Attempting to sign artifact. This may open a browser for OIDC authentication.\")\n    signer = Signer()\n    bundle = signer.sign_artifact(artifact_filename)\n    logger.info(f\"Artifact '{artifact_filename}' signed successfully.\")\n\n    # Save the bundle for later verification if needed\n    bundle_filename = \"test_artifact.sigstore.json\"\n    with open(bundle_filename, \"w\") as f:\n        f.write(bundle.json())\n    logger.info(f\"Signature bundle saved to: {bundle_filename}\")\n\nexcept Exception as e:\n    logger.error(f\"Error during signing: {e}\")\n    logger.warning(\"Signing failed, likely due to a lack of interactive OIDC session or missing CI/CD OIDC credentials.\")\n    logger.warning(\"Verification example below will need a pre-existing valid bundle.\")\n\n# --- Verification of the artifact ---\nif bundle:\n    logger.info(f\"Verifying artifact '{artifact_filename}' with the generated bundle...\")\n    try:\n        # Load the trust root (e.g., Sigstore's production trust root)\n        trusted_root = TrustRoot.production()\n\n        # Read the artifact bytes\n        with open(artifact_filename, \"rb\") as f:\n            artifact_bytes = f.read()\n\n        # Perform verification\n        verify_artifact(bundle, trusted_root, artifact_bytes)\n        logger.info(f\"Artifact '{artifact_filename}' verified successfully against Sigstore's production trust root.\")\n    except Exception as e:\n        logger.error(f\"Error during verification: {e}\")\nelse:\n    logger.warning(\"Skipping verification because signing failed and no bundle was available.\")\n    logger.info(\"To verify an artifact, you would typically load a previously generated bundle:\")\n    logger.info(\"  # Example if bundle_filename exists: `bundle = Bundle.parse_file(bundle_filename)`\")\n    logger.info(\"  # Then proceed with `verify_artifact(bundle, trusted_root, artifact_bytes)`\")\n\n\n# --- Cleanup ---\nos.remove(artifact_filename)\nif bundle and os.path.exists(bundle_filename):\n    os.remove(bundle_filename)\nlogger.info(\"Cleaned up temporary files.\")","lang":"python","description":"This quickstart demonstrates how to sign and verify an artifact using the `sigstore` Python API. Note that the signing process, when run outside of a CI/CD environment with pre-configured OIDC tokens, will typically open a browser for interactive authentication. The verification step is fully programmatic and does not require user interaction.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":{"tag":null,"tag_description":null,"last_tested":"2026-05-17","installed_version":"4.1.0","pypi_latest":"4.2.0","is_stale":true,"summary":{"python_range":"3.10–3.9","success_rate":50,"avg_install_s":6.9,"avg_import_s":1.57,"wheel_type":"wheel"},"results":[{"runtime":"python:3.10-alpine","python_version":"3.10","os_libc":"alpine (musl)","variant":"\"sigstore>=3.10,<4\"","exit_code":1,"wheel_type":null,"failure_reason":"build_error","import_side_effects":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.10-alpine","python_version":"3.10","os_libc":"alpine (musl)","variant":"sigstore","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"clean","install_time_s":null,"import_time_s":1.41,"mem_mb":22.5,"disk_size":"74.8M"},{"runtime":"python:3.10-slim","python_version":"3.10","os_libc":"slim (glibc)","variant":"\"sigstore>=3.10,<4\"","exit_code":1,"wheel_type":null,"failure_reason":"build_error","import_side_effects":null,"install_time_s":1.4,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.10-slim","python_version":"3.10","os_libc":"slim (glibc)","variant":"sigstore","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"clean","install_time_s":7.5,"import_time_s":0.98,"mem_mb":22.5,"disk_size":"74M"},{"runtime":"python:3.11-alpine","python_version":"3.11","os_libc":"alpine (musl)","variant":"\"sigstore>=3.10,<4\"","exit_code":1,"wheel_type":null,"failure_reason":"build_error","import_side_effects":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.11-alpine","python_version":"3.11","os_libc":"alpine (musl)","variant":"sigstore","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"clean","install_time_s":null,"import_time_s":2.02,"mem_mb":24.4,"disk_size":"80.1M"},{"runtime":"python:3.11-slim","python_version":"3.11","os_libc":"slim (glibc)","variant":"\"sigstore>=3.10,<4\"","exit_code":1,"wheel_type":null,"failure_reason":"build_error","import_side_effects":null,"install_time_s":1.5,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.11-slim","python_version":"3.11","os_libc":"slim (glibc)","variant":"sigstore","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"clean","install_time_s":6.8,"import_time_s":1.83,"mem_mb":24.3,"disk_size":"79M"},{"runtime":"python:3.12-alpine","python_version":"3.12","os_libc":"alpine (musl)","variant":"\"sigstore>=3.10,<4\"","exit_code":1,"wheel_type":null,"failure_reason":"build_error","import_side_effects":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.12-alpine","python_version":"3.12","os_libc":"alpine (musl)","variant":"sigstore","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"clean","install_time_s":null,"import_time_s":1.93,"mem_mb":24.3,"disk_size":"71.3M"},{"runtime":"python:3.12-slim","python_version":"3.12","os_libc":"slim (glibc)","variant":"\"sigstore>=3.10,<4\"","exit_code":1,"wheel_type":null,"failure_reason":"build_error","import_side_effects":null,"install_time_s":1.4,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.12-slim","python_version":"3.12","os_libc":"slim (glibc)","variant":"sigstore","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"clean","install_time_s":5.6,"import_time_s":1.99,"mem_mb":24.2,"disk_size":"70M"},{"runtime":"python:3.13-alpine","python_version":"3.13","os_libc":"alpine (musl)","variant":"\"sigstore>=3.10,<4\"","exit_code":1,"wheel_type":null,"failure_reason":"build_error","import_side_effects":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.13-alpine","python_version":"3.13","os_libc":"alpine (musl)","variant":"sigstore","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"clean","install_time_s":null,"import_time_s":1.5,"mem_mb":22.8,"disk_size":"71.1M"},{"runtime":"python:3.13-slim","python_version":"3.13","os_libc":"slim (glibc)","variant":"\"sigstore>=3.10,<4\"","exit_code":1,"wheel_type":null,"failure_reason":"build_error","import_side_effects":null,"install_time_s":1.4,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.13-slim","python_version":"3.13","os_libc":"slim (glibc)","variant":"sigstore","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"clean","install_time_s":5.7,"import_time_s":1.58,"mem_mb":22.8,"disk_size":"70M"},{"runtime":"python:3.9-alpine","python_version":"3.9","os_libc":"alpine (musl)","variant":"\"sigstore>=3.10,<4\"","exit_code":1,"wheel_type":null,"failure_reason":"build_error","import_side_effects":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.9-alpine","python_version":"3.9","os_libc":"alpine (musl)","variant":"sigstore","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"clean","install_time_s":null,"import_time_s":1.28,"mem_mb":22.4,"disk_size":"74.5M"},{"runtime":"python:3.9-slim","python_version":"3.9","os_libc":"slim (glibc)","variant":"\"sigstore>=3.10,<4\"","exit_code":1,"wheel_type":null,"failure_reason":"build_error","import_side_effects":null,"install_time_s":1.7,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.9-slim","python_version":"3.9","os_libc":"slim (glibc)","variant":"sigstore","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"clean","install_time_s":8.7,"import_time_s":1.23,"mem_mb":22.4,"disk_size":"74M"}]}}