Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding information on Python Language Client #333

Closed
wants to merge 8 commits into from
Closed
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions content/en/language_clients/_index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
type: docs
title: "Language Clients"
description: "Language Clients"
lead: "Language Clients"
date: 2024-10-06T08:49:15+00:00
lastmod: 2024-10-06T08:49:15+00:00
draft: false
images: []
weight: 20
---
19 changes: 19 additions & 0 deletions content/en/language_clients/language_client_overview.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
type: docs
category: Language Clients
title: Language Client Overview
weight: 5
---

Sigstore uses [cosign](../../cosign/signing/overview) to sign and verify packages by default, but you can opt to use a language specific client instead.

Check failure on line 8 in content/en/language_clients/language_client_overview.md

View workflow job for this annotation

GitHub Actions / markdownlint

Trailing spaces

content/en/language_clients/language_client_overview.md:8:153 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1] https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md009.md

Sigstore has clients for the following language ecosystems:

- [Python](./python/python_client_overview)
- [Rust](https://github.com/sigstore/sigstore-rs#features)
- [Ruby](https://github.com/sigstore/sigstore-ruby#sigstore)
- [JavaScript](https://github.com/sigstore/sigstore-js#sigstore-js---)
- [Java](https://github.com/sigstore/sigstore-java#sigstore-java)
- [Go](https://github.com/sigstore/sigstore-go#sigstore-go)

Currently, language client documentation is hosted in the individual project repositories. This documentation is being migrated to the general sigstore docs.

Check failure on line 19 in content/en/language_clients/language_client_overview.md

View workflow job for this annotation

GitHub Actions / markdownlint

Files should end with a single newline character

content/en/language_clients/language_client_overview.md:19:157 MD047/single-trailing-newline Files should end with a single newline character https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md047.md
11 changes: 11 additions & 0 deletions content/en/language_clients/python/_index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
type: docs
title: "Python"
description: "sigstore-python"
lead: "Python Language Client"
date: 2024-10-06T08:49:15+00:00
lastmod: 2024-10-06T08:49:15+00:00
draft: false
images: []
weight: 15
---
24 changes: 24 additions & 0 deletions content/en/language_clients/python/github_action.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
type: docs
category: Python
menuTitle: GitHub Action
title: GitHub Action
weight: 50
---

## GitHub Actions

`sigstore-python` has [an official GitHub Action](https://github.com/sigstore/gh-action-sigstore-python)!

You can install it from the [GitHub Marketplace](https://github.com/marketplace/actions/gh-action-sigstore-python), or add it to your CI manually:

```yaml
jobs:
sigstore-python:
steps:
- uses: sigstore/[email protected]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is referencing a really old version of the action -- is there a reason for that?

If not, I'd suggest the latest tag instead:

Suggested change
- uses: sigstore/gh-action-sigstore-python@v0.2.0
- uses: sigstore/gh-action-sigstore-python@v3.0.0

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I see the ancient version is also in sigstore-python's README 🤦 -- I'll fix that.

with:
inputs: foo.txt
```

See the [action documentation](https://github.com/sigstore/gh-action-sigstore-python/blob/main/README.md) for more details and usage examples.

Check failure on line 24 in content/en/language_clients/python/github_action.md

View workflow job for this annotation

GitHub Actions / markdownlint

Files should end with a single newline character

content/en/language_clients/python/github_action.md:24:142 MD047/single-trailing-newline Files should end with a single newline character https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md047.md
21 changes: 21 additions & 0 deletions content/en/language_clients/python/installation.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
type: docs
category: Python
menuTitle: Installation
title: Installation
weight: 5
---

`sigstore` requires Python 3.8 or newer, and can be installed directly via `pip`:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requires 3.9 as of release 3.4:

Suggested change
`sigstore` requires Python 3.8 or newer, and can be installed directly via `pip`:
`sigstore` requires Python 3.9 or newer, and can be installed directly via `pip`:


```console
python -m pip install sigstore
```

Optionally, to install `sigstore` and all its dependencies with [hash-checking mode](https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode) enabled, run the following:

```console
python -m pip install -r https://raw.githubusercontent.com/sigstore/sigstore-python/main/install/requirements.txt
```

This installs the up-to-date [requirements file](https://github.com/sigstore/sigstore-python/blob/main/install/requirements.txt).
60 changes: 60 additions & 0 deletions content/en/language_clients/python/python_client_overview.md
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a verbatim (or close to verbatim) copy of the README, which makes me worry that it'll diverge/desync over time. Is there a way we can automatically keep it up to date?

If not, I suppose having a periodic reminder (or automatic issue trigger that runs on new sigstore-python releases) to periodically update these docs wouldn't be the worst thing.

(In particular, things like the <!-- @begin-sigstore-help@ --> blocks are tracked automatically by sigstore-python's own CI processes.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woodruffw this is a good point. I originally intended to open a PR in the sigstore-python repo that removed repetition and linked to the docs on the main sigstore docs site. I am in conversation with the @haydentherapper and @cmurphy about this issue and may pivot towards most of the documentation staying in the sigstore-python repo and a a fairly lean page on the main sigstore docs which will link back to the repo's readme. Do you have a preference?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No strong preference from me! If the plan is to have the main Sigstore site be the "global" source of documentation for all clients, then I'm happy to have the majority of the current sigstore-python README get deleted and live there instead.

OTOH the self-updating --help sections might be hard to track on the main Sigstore site. So those might make sense to leave in the repo's README while the rest moves to the Sigstore site.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woodruffw it sounds like @cmurphy and @haydentherapper are on board with a more abridged version on this site. It will mean that the information between the different language clients can be a little more uniform. I am going to close this PR for now and will tag you in the lighter PR that I am opening now. Thanks for your review and feedback!

Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
---
type: docs
category: Python
menuTitle: Python Client Overview
title: Python Client Overview
weight: 1
---

[`sigstore`](https://pypi.org/project/sigstore/) is a Python tool for generating and verifying Sigstore signatures. You can use it to sign and verify Python package distributions, or anything else!

## Features

* Supports keyless signature generation and verification
* Supports signing with ["ambient" OpenID Connect identities ](../signing#signing-with-ambient-credentials)

Check failure on line 14 in content/en/language_clients/python/python_client_overview.md

View workflow job for this annotation

GitHub Actions / markdownlint

Spaces inside link text

content/en/language_clients/python/python_client_overview.md:14:25 MD039/no-space-in-links Spaces inside link text [Context: "...t" OpenID Connect identities ]"] https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md039.md
* A comprehensive [CLI](#usage) and corresponding [importable Python API](https://sigstore.github.io/sigstore-python)
* An official [GitHub Action](../github_action)

## Usage

Check failure on line 18 in content/en/language_clients/python/python_client_overview.md

View workflow job for this annotation

GitHub Actions / markdownlint

Trailing spaces

content/en/language_clients/python/python_client_overview.md:18:9 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1] https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md009.md

For Python API usage, see our [API documentation](https://sigstore.github.io/sigstore-python/).

You can run `sigstore` as a standalone program, or via `python -m`:

```console
sigstore --help
python -m sigstore --help
```

Top-level:

<!-- @begin-sigstore-help@ -->
```

Check failure on line 32 in content/en/language_clients/python/python_client_overview.md

View workflow job for this annotation

GitHub Actions / markdownlint

Fenced code blocks should have a language specified

content/en/language_clients/python/python_client_overview.md:32 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"] https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md040.md
usage: sigstore [-h] [-v] [-V] [--staging | --trust-config FILE] COMMAND ...

a tool for signing and verifying Python package distributions

positional arguments:
COMMAND the operation to perform
sign sign one or more inputs
verify verify one or more inputs
get-identity-token
retrieve and return a Sigstore-compatible OpenID
Connect token
plumbing developer-only plumbing operations

optional arguments:
-h, --help show this help message and exit
-v, --verbose run with additional debug logging; supply multiple
times to increase verbosity (default: 0)
-V, --version show program's version number and exit
--staging Use sigstore's staging instances, instead of the
default production instances (default: False)
--trust-config FILE The client trust configuration to use (default: None)
```
<!-- @end-sigstore-help@ -->

### SLSA Provenance

Check failure on line 57 in content/en/language_clients/python/python_client_overview.md

View workflow job for this annotation

GitHub Actions / markdownlint

Headings should be surrounded by blank lines

content/en/language_clients/python/python_client_overview.md:57 MD022/blanks-around-headings/blanks-around-headers Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### SLSA Provenance"] https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md022.md
This project emits a SLSA provenance on its release! This enables you to verify the integrity of the downloaded artifacts and ensured that the binary's code really comes from this source code.

To do so, please follow the instructions [here](https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance).

Check failure on line 60 in content/en/language_clients/python/python_client_overview.md

View workflow job for this annotation

GitHub Actions / markdownlint

Files should end with a single newline character

content/en/language_clients/python/python_client_overview.md:60:132 MD047/single-trailing-newline Files should end with a single newline character https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md047.md
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this link is out of date (it's wrong in the sigstore-python readme too) - I think it's supposed to be https://github.com/slsa-framework/slsa-github-generator#verify-provenance

19 changes: 19 additions & 0 deletions content/en/language_clients/python/root_of_trust.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
type: docs
category: Python
menuTitle: Custom root of trust
title: Custom root of trust
weight: 30
---
## Configuring a custom root of trust ("BYO PKI")

Apart from the default and "staging" Sigstore instances, `sigstore` also supports "BYO PKI" setups, where a user maintains their own Sigstore instance services.

These are supported via the `--trust-config` flag, which accepts a JSON-formatted file conforming to the `ClientTrustConfig` message in the [Sigstore protobuf specs](https://github.com/sigstore/protobuf-specs). This file configures the entire Sigstore instance state, *including* the URIs used to access the CA and artifact transparency services as well as the cryptographic root of trust itself.

To use a custom client config, prepend `--trust-config` to any `sigstore` command:

```console
$ sigstore --trust-config custom.trustconfig.json sign foo.txt

Check failure on line 17 in content/en/language_clients/python/root_of_trust.md

View workflow job for this annotation

GitHub Actions / markdownlint

Dollar signs used before commands without showing output

content/en/language_clients/python/root_of_trust.md:17:1 MD014/commands-show-output Dollar signs used before commands without showing output [Context: "$ sigstore --trust-config cust..."] https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md014.md
$ sigstore --trust-config custom.trustconfig.json verify identity foo.txt ...

Check failure on line 18 in content/en/language_clients/python/root_of_trust.md

View workflow job for this annotation

GitHub Actions / markdownlint

Dollar signs used before commands without showing output

content/en/language_clients/python/root_of_trust.md:18:1 MD014/commands-show-output Dollar signs used before commands without showing output [Context: "$ sigstore --trust-config cust..."] https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md014.md
```
110 changes: 110 additions & 0 deletions content/en/language_clients/python/signing.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
---
type: docs
category: Python
menuTitle: Signing
title: Signing
weight: 10
---

<!-- @begin-sigstore-sign-help@ -->
```
usage: sigstore sign [-h] [-v] [--identity-token TOKEN] [--oidc-client-id ID]
[--oidc-client-secret SECRET]
[--oidc-disable-ambient-providers] [--oidc-issuer URL]
[--oauth-force-oob] [--no-default-files]
[--signature FILE] [--certificate FILE] [--bundle FILE]
[--output-directory DIR] [--overwrite]
FILE [FILE ...]

positional arguments:
FILE The file to sign

optional arguments:
-h, --help show this help message and exit
-v, --verbose run with additional debug logging; supply multiple
times to increase verbosity (default: 0)

OpenID Connect options:
--identity-token TOKEN
the OIDC identity token to use (default: None)
--oidc-client-id ID The custom OpenID Connect client ID to use during
OAuth2 (default: sigstore)
--oidc-client-secret SECRET
The custom OpenID Connect client secret to use during
OAuth2 (default: None)
--oidc-disable-ambient-providers
Disable ambient OpenID Connect credential detection
(e.g. on GitHub Actions) (default: False)
--oidc-issuer URL The OpenID Connect issuer to use (conflicts with
--staging) (default: https://oauth2.sigstore.dev/auth)
--oauth-force-oob Force an out-of-band OAuth flow and do not
automatically start the default web browser (default:
False)

Output options:
--no-default-files Don't emit the default output files
({input}.sigstore.json) (default: False)
--signature FILE, --output-signature FILE
Write a single signature to the given file; does not
work with multiple input files (default: None)
--certificate FILE, --output-certificate FILE
Write a single certificate to the given file; does not
work with multiple input files (default: None)
--bundle FILE Write a single Sigstore bundle to the given file; does
not work with multiple input files (default: None)
--output-directory DIR
Write default outputs to the given directory
(conflicts with --signature, --certificate, --bundle)
(default: None)
--overwrite Overwrite preexisting signature and certificate
outputs, if present (default: False)
```
<!-- @end-sigstore-sign-help@ -->

## Advanced signing use cases

### Signing with ambient credentials

For environments that support OpenID Connect, natively `sigstore` supports ambient credential
detection. This includes many popular CI platforms and cloud providers. See the full list of
supported environments [here](https://github.com/di/id#supported-environments).

Sign a single file (`foo.txt`) using an ambient OpenID Connect credential,
saving the bundle to `foo.txt.sigstore`:

```console
$ python -m sigstore sign foo.txt
```

### Signing with an email identity

`sigstore` can use an OAuth2 + OpenID flow to establish an email identity,
allowing you to request signing certificates that attest to control over
that email.

Sign a single file (`foo.txt`) using the OAuth2 flow, saving the
bundle to `foo.txt.sigstore`:

```console
$ python -m sigstore sign foo.txt
```

By default, `sigstore` attempts to do
[ambient credential detection](#signing-with-ambient-credentials), which may preempt
the OAuth2 flow. To force the OAuth2 flow, you can explicitly disable ambient detection:

```console
$ python -m sigstore sign --oidc-disable-ambient-providers foo.txt
```

### Signing with an explicit identity token

If you can't use an ambient credential or the OAuth2 flow, you can pass a pre-created
identity token directly into `sigstore sign`:

```console
$ python -m sigstore sign --identity-token YOUR-LONG-JWT-HERE foo.txt
```

Note that passing a custom identity token does not circumvent Fulcio's requirements,
namely the Fulcio's supported identity providers and the claims expected within the token.
Loading
Loading