Sigstore community today announced the first stable release of sigstore-python, improving software supply chain security and paving the way for other client implementations of Sigstore that are in earlier stages.
Sigstore is an open source project launched by Linux Foundation with the goal of providing free and stable services for all developers to easily sign, verify and protect their software projects. While code signing is a valuable tool to prevent hackers from co-opting patching systems and delivering malware, it is difficult to implement in open source projects given the complexity of key management.
The sigstore-python, as part of the project and funded by Google's Open Source Security Team, aims to provide a Sigstore-compatible client like cosign but built entirely with Python and easily adoptable by the Python ecosystem.
"Today's release of sigstore-python is an important milestone for the sigstore and Python communities," Bob Callaway, co-founder of the sigstore project and technical lead and manager of Google's Open Source Security Team, told SC Media. "The release of a stable, Python-native implementation of Sigstore's signing and verification workflows enables Python developers and package maintainers to improve the security of the Python software supply chain without the overhead of managing private keys."
Sigstore-python is just one of many Sigstore clients being developed, including for programming languages like Ruby, Java, Rust, Go, and JavaScript. While Sigstore-python is not the oldest implementation, it aims to be one of the most authoritative in terms of "succinctly and correctly implementing the intricacies of Sigstore's security model," which could set a critical technical foundation for other client implementations, said William Woodruff, one of the major contributors to sigstore-python and senior security engineer at Trail of Bits.
"Sigstore-python is meant to be a 'reference' implementation of a Sigstore client, which means that it will be a key technical reference for other client implementations of Sigstore that are in earlier development phases (like the Rust implementation)," Woodruff told SC Media. "I feel like I can confidently say that the codebase as a whole is really meant to be read and consumed by others in the Sigstore community and that maintaining the level of reference-ability is one of our key long-term goals as we continue to add features."
One of the two most distinguishable features of sigstore-python is the design of a public Python API and command-line interface (CLI) that avoids the misuse of cryptographic tools, which speaks to two primitives in project development: signing and verifying.
As for the next step, Woodruff said that his team have been working with other members of the Sigstore community to standardize the bundle format for signing materials and hopes to include support for signing and verifying with bundles soon.
In addition, his team will work to further integrate the Sigstore into the Python Package Index, a popular open source software repository used by developers, as well as stabilize its associated GitHub Action.
"GitHub is proud to collaborate with the open source community on Sigstore specifications, implementation, and helping run the public servers to see this capability come to life on PyPI, npm, and other package managers," Trevor Rosen, member of the Sigstor technical steering committee and staff engineering manager at GitHub, told SC Media.
"[Sigstore] is eager to continue working with the Python community on integrating sigstore-python into Python's packaging tools and infrastructure so that Python developers can reap the benefits of modern, transparent, digital signatures," Callaway added.
