Adding information on Python Language Client #333
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| --- | ||
| type: docs | ||
| title: "Python" | ||
| description: "sigstore-python" | ||
| lead: "Python Language Client" | ||
| date: 2024-10-06T08:49:15+00:00 | ||
| lastmod: 2024-10-06T08:49:15+00:00 | ||
| draft: false | ||
| images: [] | ||
| weight: 15 | ||
| --- |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| --- | ||
| type: docs | ||
| category: Python | ||
| menuTitle: GitHub Action | ||
| title: GitHub Action | ||
| weight: 50 | ||
| --- | ||
|
|
||
| ## GitHub Actions | ||
|
|
||
| `sigstore-python` has [an official GitHub Action](https://github.com/sigstore/gh-action-sigstore-python)! | ||
|
|
||
| You can install it from the [GitHub Marketplace](https://github.com/marketplace/actions/gh-action-sigstore-python), or add it to your CI manually: | ||
|
|
||
| ```yaml | ||
| jobs: | ||
| sigstore-python: | ||
| steps: | ||
| - uses: sigstore/[email protected] | ||
| with: | ||
| inputs: foo.txt | ||
| ``` | ||
|
|
||
| See the [action documentation](https://github.com/sigstore/gh-action-sigstore-python/blob/main/README.md) for more details and usage examples. | ||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,21 @@ | ||||||
| --- | ||||||
| type: docs | ||||||
| category: Python | ||||||
| menuTitle: Installation | ||||||
| title: Installation | ||||||
| weight: 5 | ||||||
| --- | ||||||
|
|
||||||
| `sigstore` requires Python 3.8 or newer, and can be installed directly via `pip`: | ||||||
|
There was a problem hiding this comment. Requires 3.9 as of release 3.4:
Suggested change
|
||||||
|
|
||||||
| ```console | ||||||
| python -m pip install sigstore | ||||||
| ``` | ||||||
|
|
||||||
| Optionally, to install `sigstore` and all its dependencies with [hash-checking mode](https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode) enabled, run the following: | ||||||
|
|
||||||
| ```console | ||||||
| python -m pip install -r https://raw.githubusercontent.com/sigstore/sigstore-python/main/install/requirements.txt | ||||||
| ``` | ||||||
|
|
||||||
| This installs the up-to-date [requirements file](https://github.com/sigstore/sigstore-python/blob/main/install/requirements.txt). | ||||||
|
There was a problem hiding this comment. This looks like a verbatim (or close to verbatim) copy of the README, which makes me worry that it'll diverge/desync over time. Is there a way we can automatically keep it up to date? If not, I suppose having a periodic reminder (or automatic issue trigger that runs on new (In particular, things like the There was a problem hiding this comment. @woodruffw this is a good point. I originally intended to open a PR in the sigstore-python repo that removed repetition and linked to the docs on the main sigstore docs site. I am in conversation with the @haydentherapper and @cmurphy about this issue and may pivot towards most of the documentation staying in the sigstore-python repo and a a fairly lean page on the main sigstore docs which will link back to the repo's readme. Do you have a preference? There was a problem hiding this comment. No strong preference from me! If the plan is to have the main Sigstore site be the "global" source of documentation for all clients, then I'm happy to have the majority of the current OTOH the self-updating There was a problem hiding this comment. @woodruffw it sounds like @cmurphy and @haydentherapper are on board with a more abridged version on this site. It will mean that the information between the different language clients can be a little more uniform. I am going to close this PR for now and will tag you in the lighter PR that I am opening now. Thanks for your review and feedback! |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| --- | ||
| type: docs | ||
| category: Python | ||
| menuTitle: Python Client Overview | ||
| title: Python Client Overview | ||
| weight: 1 | ||
| --- | ||
|
|
||
| [`sigstore`](https://pypi.org/project/sigstore/) is a Python tool for generating and verifying Sigstore signatures. You can use it to sign and verify Python package distributions, or anything else! | ||
|
|
||
| ## Features | ||
|
|
||
| * Supports keyless signature generation and verification | ||
| * Supports signing with ["ambient" OpenID Connect identities](../signing#signing-with-ambient-credentials) | ||
| * A comprehensive [CLI](#usage) and corresponding [importable Python API](https://sigstore.github.io/sigstore-python) | ||
| * An official [GitHub Action](../github_action) | ||
|
|
||
| ## Usage | ||
|
|
||
| For Python API usage, see our [API documentation](https://sigstore.github.io/sigstore-python/). | ||
|
|
||
| You can run `sigstore` as a standalone program, or via `python -m`: | ||
|
|
||
| ```console | ||
| sigstore --help | ||
| python -m sigstore --help | ||
| ``` | ||
|
|
||
| Top-level: | ||
|
|
||
| <!-- @begin-sigstore-help@ --> | ||
| ```console | ||
| usage: sigstore [-h] [-v] [-V] [--staging | --trust-config FILE] COMMAND ... | ||
|
|
||
| a tool for signing and verifying Python package distributions | ||
|
|
||
| positional arguments: | ||
| COMMAND the operation to perform | ||
| sign sign one or more inputs | ||
| verify verify one or more inputs | ||
| get-identity-token | ||
| retrieve and return a Sigstore-compatible OpenID | ||
| Connect token | ||
| plumbing developer-only plumbing operations | ||
|
|
||
| optional arguments: | ||
| -h, --help show this help message and exit | ||
| -v, --verbose run with additional debug logging; supply multiple | ||
| times to increase verbosity (default: 0) | ||
| -V, --version show program's version number and exit | ||
| --staging Use sigstore's staging instances, instead of the | ||
| default production instances (default: False) | ||
| --trust-config FILE The client trust configuration to use (default: None) | ||
| ``` | ||
| <!-- @end-sigstore-help@ --> | ||
|
|
||
| ### SLSA Provenance | ||
|
|
||
| This project emits a SLSA provenance on its release! This enables you to verify the integrity of the downloaded artifacts and ensured that the binary's code really comes from this source code. | ||
|
|
||
| To do so, please follow the instructions [here](https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance). | ||
|
There was a problem hiding this comment. I think this link is out of date (it's wrong in the sigstore-python readme too) - I think it's supposed to be https://github.com/slsa-framework/slsa-github-generator#verify-provenance It's not very clear from the README, but I think this section about verifying provenance is more closely aligned with the installation section, since it's about verifying the sigstore-python release artifact, not about using it. But they also don't really explain how to find the artifact and attestation. I would almost suggest omitting this section entirely from the docs site because it's not really relevant unless you came across the repo in github and were exploring its release artifacts. There was a problem hiding this comment. My 0.02c is that this can be dropped entirely: the SLSA provenance note is a bit of a red herring in this context, since sigstore-python also emits bundles of its own creation as part of the release process. (I would like to remove that SLSA provenance step from the release workflow entirely in the near future, since it doesn't currently generate valid SLSA documents - per slsa-framework/slsa-github-generator#3876 - and has been a source of release process breakdowns in the past. I'll likely replace it with GitHub's own attestation actions.) There was a problem hiding this comment. Agreed that this should be in installation. I would add more details on how to verify the binary, and like Colleen said, where the attestation is (i.e. attached to the release). I'd provide a command using
Edit: Ignore in favor of the above comments |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| --- | ||
| type: docs | ||
| category: Python | ||
| menuTitle: Custom root of trust | ||
| title: Custom root of trust | ||
| weight: 30 | ||
| --- | ||
| ## Configuring a custom root of trust ("BYO PKI") | ||
|
|
||
| Apart from the default and "staging" Sigstore instances, `sigstore` also supports "BYO PKI" setups, where a user maintains their own Sigstore instance services. | ||
|
|
||
| These are supported via the `--trust-config` flag, which accepts a JSON-formatted file conforming to the `ClientTrustConfig` message in the [Sigstore protobuf specs](https://github.com/sigstore/protobuf-specs). This file configures the entire Sigstore instance state, *including* the URIs used to access the CA and artifact transparency services as well as the cryptographic root of trust itself. | ||
|
|
||
| To use a custom client config, prepend `--trust-config` to any `sigstore` command: | ||
|
|
||
| ```console | ||
| sigstore --trust-config custom.trustconfig.json sign foo.txt | ||
| sigstore --trust-config custom.trustconfig.json verify identity foo.txt ... | ||
| ``` |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,110 @@ | ||
| --- | ||
| type: docs | ||
| category: Python | ||
| menuTitle: Signing | ||
| title: Signing | ||
| weight: 10 | ||
| --- | ||
|
|
||
| <!-- @begin-sigstore-sign-help@ --> | ||
| ```console | ||
| usage: sigstore sign [-h] [-v] [--identity-token TOKEN] [--oidc-client-id ID] | ||
| [--oidc-client-secret SECRET] | ||
| [--oidc-disable-ambient-providers] [--oidc-issuer URL] | ||
| [--oauth-force-oob] [--no-default-files] | ||
| [--signature FILE] [--certificate FILE] [--bundle FILE] | ||
| [--output-directory DIR] [--overwrite] | ||
| FILE [FILE ...] | ||
|
|
||
| positional arguments: | ||
| FILE The file to sign | ||
|
|
||
| optional arguments: | ||
| -h, --help show this help message and exit | ||
| -v, --verbose run with additional debug logging; supply multiple | ||
| times to increase verbosity (default: 0) | ||
|
|
||
| OpenID Connect options: | ||
| --identity-token TOKEN | ||
| the OIDC identity token to use (default: None) | ||
| --oidc-client-id ID The custom OpenID Connect client ID to use during | ||
| OAuth2 (default: sigstore) | ||
| --oidc-client-secret SECRET | ||
| The custom OpenID Connect client secret to use during | ||
| OAuth2 (default: None) | ||
| --oidc-disable-ambient-providers | ||
| Disable ambient OpenID Connect credential detection | ||
| (e.g. on GitHub Actions) (default: False) | ||
| --oidc-issuer URL The OpenID Connect issuer to use (conflicts with | ||
| --staging) (default: https://oauth2.sigstore.dev/auth) | ||
| --oauth-force-oob Force an out-of-band OAuth flow and do not | ||
| automatically start the default web browser (default: | ||
| False) | ||
|
|
||
| Output options: | ||
| --no-default-files Don't emit the default output files | ||
| ({input}.sigstore.json) (default: False) | ||
| --signature FILE, --output-signature FILE | ||
| Write a single signature to the given file; does not | ||
| work with multiple input files (default: None) | ||
| --certificate FILE, --output-certificate FILE | ||
| Write a single certificate to the given file; does not | ||
| work with multiple input files (default: None) | ||
| --bundle FILE Write a single Sigstore bundle to the given file; does | ||
| not work with multiple input files (default: None) | ||
| --output-directory DIR | ||
| Write default outputs to the given directory | ||
| (conflicts with --signature, --certificate, --bundle) | ||
| (default: None) | ||
| --overwrite Overwrite preexisting signature and certificate | ||
| outputs, if present (default: False) | ||
| ``` | ||
| <!-- @end-sigstore-sign-help@ --> | ||
|
|
||
| ## Advanced signing use cases | ||
|
|
||
| ### Signing with ambient credentials | ||
|
|
||
| For environments that support OpenID Connect, natively `sigstore` supports ambient credential | ||
| detection. This includes many popular CI platforms and cloud providers. See the full list of | ||
| supported environments [here](https://github.com/di/id#supported-environments). | ||
|
|
||
| Sign a single file (`foo.txt`) using an ambient OpenID Connect credential, | ||
| saving the bundle to `foo.txt.sigstore`: | ||
|
|
||
| ```console | ||
| python -m sigstore sign foo.txt | ||
| ``` | ||
|
|
||
| ### Signing with an email identity | ||
|
|
||
| `sigstore` can use an OAuth2 + OpenID flow to establish an email identity, | ||
| allowing you to request signing certificates that attest to control over | ||
| that email. | ||
|
|
||
| Sign a single file (`foo.txt`) using the OAuth2 flow, saving the | ||
| bundle to `foo.txt.sigstore`: | ||
|
|
||
| ```console | ||
| python -m sigstore sign foo.txt | ||
| ``` | ||
|
|
||
| By default, `sigstore` attempts to do | ||
| [ambient credential detection](#signing-with-ambient-credentials), which may preempt | ||
| the OAuth2 flow. To force the OAuth2 flow, you can explicitly disable ambient detection: | ||
|
|
||
| ```console | ||
| python -m sigstore sign --oidc-disable-ambient-providers foo.txt | ||
| ``` | ||
|
|
||
| ### Signing with an explicit identity token | ||
|
|
||
| If you can't use an ambient credential or the OAuth2 flow, you can pass a pre-created | ||
| identity token directly into `sigstore sign`: | ||
|
|
||
| ```console | ||
| python -m sigstore sign --identity-token YOUR-LONG-JWT-HERE foo.txt | ||
| ``` | ||
|
|
||
| Note that passing a custom identity token does not circumvent Fulcio's requirements, | ||
| namely the Fulcio's supported identity providers and the claims expected within the token. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is referencing a really old version of the action -- is there a reason for that?
If not, I'd suggest the latest tag instead:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I see the ancient version is also in sigstore-python's README 🤦 -- I'll fix that.