sigstore ☆

« Back to VersTracker

Description:
Codesigning tool for Python packages

Type: Formula | Latest Version: 4.1.0@0 | Tracked Since: Nov 1, 2025

Links: Homepage | formulae.brew.sh

Category: Security

Tags: security cryptography signing python devops

Install: brew install sigstore

About:
Sigstore-python is a Python library for signing and verifying Python package distributions using the Sigstore framework. It enables developers to generate digital signatures backed by OpenID Connect identity, ensuring software integrity and provenance. This tool is essential for adopting the upcoming PEP 740 standard for PyPI package attestation.

Key Features:

Supports signing Python distributions (wheels and sdists) with digital signatures
Integrates with OpenID Connect for identity verification (e.g., GitHub Actions)
Provides tools for verifying signatures to ensure package integrity and provenance
Enables transparency log uploads for immutable signature records

Use Cases:

Securing Python package supply chain by signing releases before publishing to PyPI
Verifying the authenticity and origin of downloaded Python packages in CI/CD pipelines

Alternatives:

GPG – Sigstore uses short-lived, OIDC-based keys, eliminating the complexity of GPG key management and web-of-trust.
python-tuf – TUF provides a framework for secure update systems, while Sigstore focuses specifically on code signing and identity attestation for packages.

Version History

Detected	Rev	Change	Commit
Jan 26, 2026 5:41pm	0	REVISION_ONLY	31e7885a
Jan 17, 2026 8:18am	3	REVISION_ONLY	373ecc0c
Jan 11, 2026 8:20am	2	REVISION_ONLY	39aebcc9
Nov 1, 2025 2:53pm	0	VERSION_BUMP	0b05002b
Sep 14, 2025 4:31am	1	VERSION_BUMP	450d2007
Aug 26, 2025 10:05am	1	VERSION_BUMP	eed4c297
Aug 26, 2025 8:23am	1	VERSION_BUMP	9442bdc8
Dec 11, 2024 12:55am	0	VERSION_BUMP	24bbe7df
Dec 4, 2024 8:15am	1	VERSION_BUMP	e512569d
Oct 12, 2024 11:05am	0	VERSION_BUMP	c2437abf
Sep 14, 2024 5:01am	0	VERSION_BUMP	bf6a0899