"Sigstore Announces the First Stable Release of Code and Certificate Signing Tool for Python"
The Sigstore community recently announced the first stable release of sigstore-python, enhancing software supply chain security and breaking ground for other client implementations of Sigstore currently in the earlier stages. Sigstore is an open-source project established by the Linux Foundation to offer free and stable services for all software developers to easily sign, verify, and secure their software projects. Given the complexity of key management, it is difficult to deploy code signing in open-source projects, despite its value in preventing hackers from co-opting patching systems and spreading malware. As part of the project and with funding from Google's Open-Source Security Team, sigstore-python seeks to provide a Sigstore-compatible client similar to cosign that is wholly written in Python and easily adoptable by the Python ecosystem. One of the two most distinguishing features of sigstore-python is the design of a public Python Application Programming Interface (API) and Command-Line Interface (CLI) that prevents the misuse of cryptographic tools, which relates to two project development primitives: signing and verifying. This article continues to discuss the goals of the 1.0 release of sigstore-python.