Metadata-Version: 2.4
Name: pubtools-sign
Version: 0.0.11
Summary: Collection of tools producing signed artifacts
Author-email: Jindrich Luza <jluza@redhat.com>
License-File: LICENSE
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Topic :: Software Development :: Build Tools
Requires-Python: >=3.7
Requires-Dist: ansible-core
Requires-Dist: click
Requires-Dist: marshmallow
Requires-Dist: monotonic
Requires-Dist: opentelemetry-api==1.20.0
Requires-Dist: opentelemetry-exporter-otlp==1.20.0
Requires-Dist: opentelemetry-sdk==1.20.0
Requires-Dist: piny
Requires-Dist: pubtools>=1.4.0
Requires-Dist: pyopenssl
Requires-Dist: python-qpid-proton
Requires-Dist: requests
Requires-Dist: typing-extensions
Provides-Extra: dev
Requires-Dist: pytest; extra == 'dev'
Requires-Dist: tox; extra == 'dev'
Description-Content-Type: text/x-rst

===============
 pubtools-sign
===============

Set of scripts used for signing artifacts via configured signers 


Requirements
============

* Python 3.7+

Features
========
* pubtools-sign
* pubtools-sign-clearsign 
* pubtools-sign-containersign 

Setup
=====

::

  $ pip install -r requirements.txt
  $ pip install . 
  or
  $ python setup.py install

Usage
=====

::

  $ pubtools-sign --help
  $ pubtools-sign-clearsign --help
  $ pubtools-sign-containersign --help

Configuration
=============

Configuration is done via a yaml file. The default location is `~/.config/.pubtools-sign/conf.yaml` or `/etc/pubtools-sign/conf.yaml`. You can also specify a custom location via the `--config` argument. The configuration file is divided into sections, each section is a signer. Each signer has a set of attributes that are used to configure the signer
Conf.yaml has following structure:::

  msg_signer:
    messaging_brokers:
      - <protocol://<host>:<port> for messaging broker
    messaging_cert_key: <path to messaging client key + certificate in PEM format>
    messaging_ca_cert: <path to CA certificate bundle>
    topic_send_to: topic://<topic> - topic where to send signing requests
    topic_listen_to: queue://<queue> - queue where to listen for answers from signing server. Supported templating variables: {creator - UID from client cert}, {task_id}
    environment: <env> - environment attribute which is included in signing request
    service: <service> - service attribute which is included in signing request
    timeout: <int> - timeout for signing request
    retries: <int> - number of retries for receiving signing responses from messaging brokers
    send_retries: <int> - number of retries for whole send + receive cycle
    message_id_key: <id> - attribute in message response used as unique identifier for signing request
    log_level: <level> - log level for pubtools-sign
  cosign_signer:
    rekor_url: <rekor-url>
    upload_tlog: <true|false>
    registry_user: <user> - used to login to registry where images will be signed
    registry_password: <password>
    env_variables:
      <key>: <val> - mapping of environment variables used in signing process. This can be used for example for AWS setup
    key_aliases:
      <alias>: <key> - mapping of key aliases to actual keys. When passing alias as signing key, <key> is used instead. This
                       way you cna define for example "prod-key" alias and have different real keys for different signers
