<div align="center">
<a href="https://github.com/opensecurity/sigmate-py">
</a>
<h1 align="center">sigmate</h1>
<p align="center">
A modern, developer-focused CLI for cryptographic file signing and verification.
<br />
<a href="#-key-features"><strong>Explore the features »</strong></a>
<br />
<br />
<a href="https://github.com/opensecurity/sigmate-py/issues/new?template=bug_report.md">Report Bug</a>
·
<a href="https://github.com/opensecurity/sigmate-py/issues/new?template=feature_request.md">Request Feature</a>
</p>
</div>
<div align="center">
<img src="https://img.shields.io/pypi/v/sigmate.svg?style=for-the-badge&logo=pypi&color=blue" alt="PyPI Version">
<img src="https://img.shields.io/github/license/opensecurity/sigmate?style=for-the-badge&color=blue" alt="License">
<img src="https://img.shields.io/badge/code%20style-black-000000.svg?style=for-the-badge" alt="Code Style: Black">
</div>
---
## About The Project
**`sigmate`** provides a fast, understandable, and secure workflow for signing and verifying files. Built for developers, release managers, and security teams, it replaces the complex and often opaque processes of tools like GPG with a streamlined, modern alternative based on Ed25519 cryptography.
The core philosophy is simple: signing should be easy, verification should be trustworthy, and the metadata accompanying a signature should be as valuable as the signature itself. `sigmate` generates structured, auditable artifacts that integrate seamlessly into CI/CD pipelines and supply chain security workflows.
### Why sigmate?
* **Developer-Focused:** Simple, intuitive commands and a configuration model that feels familiar.
* **Transparent & Auditable:** Generates human-readable JSON metadata and CycloneDX-compatible SBOMs alongside raw signatures.
* **Modern Cryptography:** Uses the fast and secure Ed25519 signature algorithm by default.
* **Decoupled Trust:** Manages a local "keyring" for convenience and a separate "trust store" for auditable policy, preventing accidental trust and enhancing security.
---
## 🚀 Getting Started
### Prerequisites
* Python 3.10+
* `pip` and `pipx` (recommended)
### Installation
The recommended way to install `sigmate` is using `pip`, which ensures the tool and its dependencies are isolated from other Python projects.
```bash
pipx install sigmate
````
Alternatively, for development:
```bash
# Clone the repository
git clone https://github.com/opensecurity/sigmate-py.git
cd sigmate
# Install with Poetry
poetry install
```
### First-Time Configuration
Before you start signing, run the interactive `configure` command to set up your default identity and key paths. This is a one-time setup.
```bash
sigmate configure
```
This will prompt you for:
1. **Your default private key** used for signing.
2. **Your default signer identity** (it will try to detect this from your git configuration).
3. The location of your **public key keyring**, where keys of other trusted signers will be stored.
-----
## Core Concepts
`sigmate` manages four key artifacts:
| Artifact | Location (Default) | Purpose |
| ------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------- |
| **Signature** (`.sig`) | `./signatures/` | The raw, binary Ed25519 signature. Provides cryptographic proof of authenticity. |
| **Metadata** (`.meta.json`) | `./signatures/sigmate.meta.json` | A JSON "receipt" for each signing operation, detailing who, what, when, and how. |
| **Keyring** | `~/.config/sigmate/keys/` | A directory of named `.pub` files for trusted public keys, used for convenient verification. |
| **Trust Store** | `~/.config/sigmate/trusted_...json` | An audit log of which key fingerprints are trusted, by whom, and with what status. |
-----
## Usage
### 1. Signing Files
The `sign` command generates cryptographic signatures and metadata for your files.
```bash
# Sign an entire directory, creating both .sig and .meta.json files
sigmate sign --walk ./my-project --both
# Sign a single file with an expiration of 72 hours
sigmate sign --file ./release.zip --expires-in 72 --both
# Sign files and generate a CycloneDX SBOM for supply chain security
sigmate sign --walk ./app --both --sbom
```
### 2. Trusting Other Signers
Before you can verify a signature from someone else, you must explicitly add their public key to your keyring and trust store.
```bash
# Add Alice's public key, give it the name "alice", and record that you added it
sigmate trust add /path/to/alice.pem --name alice --added-by "Your Name"
# Later, update the status of Alice's key to 'verified' after vetting her identity
sigmate trust update <alice_fingerprint> --status verified --updated-by "Your Name"
```
### 3. Verifying Signatures
The `verify` command checks the integrity and authenticity of files.
```bash
# Verify a directory using the key of a trusted signer from your keyring
sigmate verify --walk ./downloaded-project --signer alice
# Verify a single file using a specific public key file
sigmate verify --file important.dat --key /path/to/key.pem
# Get a machine-readable JSON report of the verification
sigmate verify --walk ./app --signer alice --json
```
-----
## Command Reference
### `sigmate sign`
* **Target:** Specify files with `<path>`, `--walk <dir>`, or `--list <file>`.
* **Output Types:**
* `--raw`: Creates individual `.sig` files.
* `--meta`: Creates a central `sigmate.meta.json`.
* `--both`: Creates both raw and meta artifacts.
* **Key Options:**
* `--key <path>`: Path to the private key (overrides configured default).
* `--identity "Name <email>"`: Signer identity (overrides configured default).
* `--output <dir>`: Specify a custom output directory for artifacts.
* `--no-abspath`: Store relative paths in metadata for portability.
### `sigmate verify`
* **Target:** Specify files with `<path>`, `--walk <dir>`, or `--list <file>`.
* **Key Source (choose one):**
* `--key <path>`: Use a public key from a specific file path.
* `--signer <name>`: Use a public key from your keyring by its trusted name.
* **Key Options:**
* `--require-trusted`: Fail verification if the signer's key is not marked as 'verified' in the trust store.
* `--sig-type [raw|meta|auto]`: Specify which signature artifact to use.
* `--json`: Output a machine-readable JSON report.
### `sigmate trust`
* `add <keyfile> --name <alias>`: Adds a key to the trust store and keyring.
* `list`: Shows all keys in the trust store.
* `update <fingerprint> --status <status>`: Changes the verification status of a key (e.g., to `verified` or `revoked`).
* `remove <fingerprint>`: Removes a key from the trust store.
### `sigmate configure`
* Run interactively to set up default configuration values (private key, identity, keyring path).
* Run with arguments (`--private-key-path ...`) to set values non-interactively for scripting.
### `sigmate clean`
* `clean`: Removes default artifacts (`./signatures/`, checksum files) from the current directory.
* `clean <path>`: Removes all contents of a specified artifact directory.
-----
## Contributing
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are **greatly appreciated**.
Please see the `CONTRIBUTING.md` file for details on our code of conduct, and the process for submitting pull requests to us.
## License
Distributed under the MIT License. See `LICENSE` for more information.
## Authors
Lucian BLETAN --> Init python project
## Sigmate rust lang
[sigmate](https://github.com/opensecurity/sigmate)
## Contact
Project Link: [sigmate-py](https://github.com/opensecurity/sigmate-py)
Raw data
{
"_id": null,
"home_page": "https://github.com/opensecurity/sigmate-py",
"name": "sigmate",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.10",
"maintainer_email": null,
"keywords": "signing, verification, cli, sbom, cryptography, trust",
"author": "Lucian BLETAN",
"author_email": "neuraluc@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/56/53/6899704fd6ee6d3197c64cf9ba6e14bcb697f42f446ad3483e3fe44c6a9d/sigmate-1.0.0.tar.gz",
"platform": null,
"description": "<div align=\"center\">\n <a href=\"https://github.com/opensecurity/sigmate-py\">\n </a>\n <h1 align=\"center\">sigmate</h1>\n <p align=\"center\">\n A modern, developer-focused CLI for cryptographic file signing and verification.\n <br />\n <a href=\"#-key-features\"><strong>Explore the features \u00bb</strong></a>\n <br />\n <br />\n <a href=\"https://github.com/opensecurity/sigmate-py/issues/new?template=bug_report.md\">Report Bug</a>\n \u00b7\n <a href=\"https://github.com/opensecurity/sigmate-py/issues/new?template=feature_request.md\">Request Feature</a>\n </p>\n</div>\n\n<div align=\"center\">\n <img src=\"https://img.shields.io/pypi/v/sigmate.svg?style=for-the-badge&logo=pypi&color=blue\" alt=\"PyPI Version\">\n <img src=\"https://img.shields.io/github/license/opensecurity/sigmate?style=for-the-badge&color=blue\" alt=\"License\">\n <img src=\"https://img.shields.io/badge/code%20style-black-000000.svg?style=for-the-badge\" alt=\"Code Style: Black\">\n</div>\n\n---\n\n## About The Project\n\n**`sigmate`** provides a fast, understandable, and secure workflow for signing and verifying files. Built for developers, release managers, and security teams, it replaces the complex and often opaque processes of tools like GPG with a streamlined, modern alternative based on Ed25519 cryptography.\n\nThe core philosophy is simple: signing should be easy, verification should be trustworthy, and the metadata accompanying a signature should be as valuable as the signature itself. `sigmate` generates structured, auditable artifacts that integrate seamlessly into CI/CD pipelines and supply chain security workflows.\n\n### Why sigmate?\n\n* **Developer-Focused:** Simple, intuitive commands and a configuration model that feels familiar.\n* **Transparent & Auditable:** Generates human-readable JSON metadata and CycloneDX-compatible SBOMs alongside raw signatures.\n* **Modern Cryptography:** Uses the fast and secure Ed25519 signature algorithm by default.\n* **Decoupled Trust:** Manages a local \"keyring\" for convenience and a separate \"trust store\" for auditable policy, preventing accidental trust and enhancing security.\n\n---\n\n## \ud83d\ude80 Getting Started\n\n### Prerequisites\n\n* Python 3.10+\n* `pip` and `pipx` (recommended)\n\n### Installation\n\nThe recommended way to install `sigmate` is using `pip`, which ensures the tool and its dependencies are isolated from other Python projects.\n\n```bash\npipx install sigmate\n````\n\nAlternatively, for development:\n\n```bash\n# Clone the repository\ngit clone https://github.com/opensecurity/sigmate-py.git\ncd sigmate\n\n# Install with Poetry\npoetry install\n```\n\n### First-Time Configuration\n\nBefore you start signing, run the interactive `configure` command to set up your default identity and key paths. This is a one-time setup.\n\n```bash\nsigmate configure\n```\n\nThis will prompt you for:\n\n1. **Your default private key** used for signing.\n2. **Your default signer identity** (it will try to detect this from your git configuration).\n3. The location of your **public key keyring**, where keys of other trusted signers will be stored.\n\n-----\n\n## Core Concepts\n\n`sigmate` manages four key artifacts:\n\n| Artifact | Location (Default) | Purpose |\n| ------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------- |\n| **Signature** (`.sig`) | `./signatures/` | The raw, binary Ed25519 signature. Provides cryptographic proof of authenticity. |\n| **Metadata** (`.meta.json`) | `./signatures/sigmate.meta.json` | A JSON \"receipt\" for each signing operation, detailing who, what, when, and how. |\n| **Keyring** | `~/.config/sigmate/keys/` | A directory of named `.pub` files for trusted public keys, used for convenient verification. |\n| **Trust Store** | `~/.config/sigmate/trusted_...json` | An audit log of which key fingerprints are trusted, by whom, and with what status. |\n\n-----\n\n## Usage\n\n### 1. Signing Files\n\nThe `sign` command generates cryptographic signatures and metadata for your files.\n\n```bash\n# Sign an entire directory, creating both .sig and .meta.json files\nsigmate sign --walk ./my-project --both\n\n# Sign a single file with an expiration of 72 hours\nsigmate sign --file ./release.zip --expires-in 72 --both\n\n# Sign files and generate a CycloneDX SBOM for supply chain security\nsigmate sign --walk ./app --both --sbom\n```\n\n### 2. Trusting Other Signers\n\nBefore you can verify a signature from someone else, you must explicitly add their public key to your keyring and trust store.\n\n```bash\n# Add Alice's public key, give it the name \"alice\", and record that you added it\nsigmate trust add /path/to/alice.pem --name alice --added-by \"Your Name\"\n\n# Later, update the status of Alice's key to 'verified' after vetting her identity\nsigmate trust update <alice_fingerprint> --status verified --updated-by \"Your Name\"\n```\n\n### 3. Verifying Signatures\n\nThe `verify` command checks the integrity and authenticity of files.\n\n```bash\n# Verify a directory using the key of a trusted signer from your keyring\nsigmate verify --walk ./downloaded-project --signer alice\n\n# Verify a single file using a specific public key file\nsigmate verify --file important.dat --key /path/to/key.pem\n\n# Get a machine-readable JSON report of the verification\nsigmate verify --walk ./app --signer alice --json\n```\n\n-----\n\n## Command Reference\n\n### `sigmate sign`\n\n * **Target:** Specify files with `<path>`, `--walk <dir>`, or `--list <file>`.\n * **Output Types:**\n * `--raw`: Creates individual `.sig` files.\n * `--meta`: Creates a central `sigmate.meta.json`.\n * `--both`: Creates both raw and meta artifacts.\n * **Key Options:**\n * `--key <path>`: Path to the private key (overrides configured default).\n * `--identity \"Name <email>\"`: Signer identity (overrides configured default).\n * `--output <dir>`: Specify a custom output directory for artifacts.\n * `--no-abspath`: Store relative paths in metadata for portability.\n\n### `sigmate verify`\n\n * **Target:** Specify files with `<path>`, `--walk <dir>`, or `--list <file>`.\n * **Key Source (choose one):**\n * `--key <path>`: Use a public key from a specific file path.\n * `--signer <name>`: Use a public key from your keyring by its trusted name.\n * **Key Options:**\n * `--require-trusted`: Fail verification if the signer's key is not marked as 'verified' in the trust store.\n * `--sig-type [raw|meta|auto]`: Specify which signature artifact to use.\n * `--json`: Output a machine-readable JSON report.\n\n### `sigmate trust`\n\n * `add <keyfile> --name <alias>`: Adds a key to the trust store and keyring.\n * `list`: Shows all keys in the trust store.\n * `update <fingerprint> --status <status>`: Changes the verification status of a key (e.g., to `verified` or `revoked`).\n * `remove <fingerprint>`: Removes a key from the trust store.\n\n### `sigmate configure`\n\n * Run interactively to set up default configuration values (private key, identity, keyring path).\n * Run with arguments (`--private-key-path ...`) to set values non-interactively for scripting.\n\n### `sigmate clean`\n\n * `clean`: Removes default artifacts (`./signatures/`, checksum files) from the current directory.\n * `clean <path>`: Removes all contents of a specified artifact directory.\n\n-----\n\n## Contributing\n\nContributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are **greatly appreciated**.\n\nPlease see the `CONTRIBUTING.md` file for details on our code of conduct, and the process for submitting pull requests to us.\n\n## License\n\nDistributed under the MIT License. See `LICENSE` for more information.\n\n## Authors\nLucian BLETAN --> Init python project\n\n## Sigmate rust lang\n[sigmate](https://github.com/opensecurity/sigmate)\n\n## Contact\n\nProject Link: [sigmate-py](https://github.com/opensecurity/sigmate-py)\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "A secure file signing and verification CLI with metadata",
"version": "1.0.0",
"project_urls": {
"Homepage": "https://github.com/opensecurity/sigmate-py",
"Repository": "https://github.com/opensecurity/sigmate-py"
},
"split_keywords": [
"signing",
" verification",
" cli",
" sbom",
" cryptography",
" trust"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "550e68f5c962601050ff95c78b4cc4aac35de6ac638d08213f789e0aa70912c4",
"md5": "b9510f02258c0b82480d071305e08f68",
"sha256": "e099d266b84b00b863762922b3bc465f7c2196b1bc110967abd7683979771f36"
},
"downloads": -1,
"filename": "sigmate-1.0.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "b9510f02258c0b82480d071305e08f68",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.10",
"size": 37860,
"upload_time": "2025-09-13T17:28:43",
"upload_time_iso_8601": "2025-09-13T17:28:43.256073Z",
"url": "https://files.pythonhosted.org/packages/55/0e/68f5c962601050ff95c78b4cc4aac35de6ac638d08213f789e0aa70912c4/sigmate-1.0.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "56536899704fd6ee6d3197c64cf9ba6e14bcb697f42f446ad3483e3fe44c6a9d",
"md5": "27bff9051d859a705b015fe3a2e244ce",
"sha256": "949bd9df7aae83bdc1264d208e8951a953059819ae61761c5abf47a208705c05"
},
"downloads": -1,
"filename": "sigmate-1.0.0.tar.gz",
"has_sig": false,
"md5_digest": "27bff9051d859a705b015fe3a2e244ce",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.10",
"size": 30475,
"upload_time": "2025-09-13T17:28:44",
"upload_time_iso_8601": "2025-09-13T17:28:44.620714Z",
"url": "https://files.pythonhosted.org/packages/56/53/6899704fd6ee6d3197c64cf9ba6e14bcb697f42f446ad3483e3fe44c6a9d/sigmate-1.0.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-09-13 17:28:44",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "opensecurity",
"github_project": "sigmate-py",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "click",
"specs": []
},
{
"name": "cryptography",
"specs": []
}
],
"lcname": "sigmate"
}
JSON
