pyproject.toml

[build-system]
requires = ["flit_core >=3.2,<4"]
build-backend = "flit_core.buildapi"

[project]
name = "sigstore"
dynamic = ["version"]
description = "A tool for signing Python package distributions"
readme = "README.md"
license = { file = "LICENSE" }
authors = [
  { name = "Sigstore Authors", email = "sigstore-dev@googlegroups.com" },
]
classifiers = [
  "License :: OSI Approved :: Apache Software License",
  "Programming Language :: Python :: 3 :: Only",
  "Programming Language :: Python :: 3",
  "Programming Language :: Python :: 3.9",
  "Programming Language :: Python :: 3.10",
  "Programming Language :: Python :: 3.11",
  "Programming Language :: Python :: 3.12",
  "Programming Language :: Python :: 3.13",
  "Development Status :: 5 - Production/Stable",
  "Intended Audience :: Developers",
  "Topic :: Security",
  "Topic :: Security :: Cryptography",
]
dependencies = [
  "cryptography >= 42",
  "id >= 1.1.0",
  "importlib_resources ~= 5.7; python_version < '3.11'",
  "pyasn1 ~= 0.6",
  "pydantic >= 2,< 3",
  "pyjwt >= 2.1",
  "pyOpenSSL >= 23.0.0",
  "requests",
  "rich ~= 13.0",
  "rfc8785 ~= 0.1.2",
  # NOTE(dm): Under very active development, so strictly pinned.
  "rfc3161-client == 0.0.4",
  # NOTE(ww): Both under active development, so strictly pinned.
  "sigstore-protobuf-specs == 0.3.2",
  "sigstore-rekor-types == 0.0.18",
  "tuf ~= 5.0",
  "platformdirs ~= 4.2",
]
requires-python = ">=3.9"

[project.scripts]
sigstore = "sigstore._cli:main"

[project.urls]
Homepage = "https://pypi.org/project/sigstore/"
Issues = "https://github.com/sigstore/sigstore-python/issues"
Source = "https://github.com/sigstore/sigstore-python"
Documentation = "https://sigstore.github.io/sigstore-python/"

[project.optional-dependencies]
test = ["pytest", "pytest-cov", "pretend", "coverage[toml]"]
lint = [
  "bandit",
  "interrogate >= 1.7.0",
  "mypy ~= 1.1",
  # NOTE(ww): ruff is under active development, so we pin conservatively here
  # and let Dependabot periodically perform this update.
  "ruff < 0.7.5",
  "types-requests",
  "types-pyOpenSSL",
]
doc = ["pdoc"]
dev = ["build", "bump >= 1.3.2", "sigstore[doc,test,lint]"]

[tool.coverage.run]
# branch coverage in addition to statement coverage.
branch = true
# FIXME(jl): currently overridden. see: https://pytest-cov.readthedocs.io/en/latest/config.html
# include machine name, process id, and a random number in `.coverage-*` so each file is distinct.
parallel = true
# store relative path info for aggregation across runs with potentially differing filesystem layouts.
# see: https://coverage.readthedocs.io/en/7.1.0/config.html#config-run-relative-files
relative_files = true
# don't attempt code coverage for the CLI entrypoints
omit = ["sigstore/_cli.py"]

[tool.coverage.report]
exclude_lines = [
  "@abc.abstractmethod",
  "@typing.overload",
  "if typing.TYPE_CHECKING",
]

[tool.interrogate]
# don't enforce documentation coverage for packaging, testing, the virtual
# environment, or the CLI (which is documented separately).
exclude = ["env", "test", "sigstore/_cli.py"]
ignore-semiprivate = true
ignore-private = true
# Ignore nested classes for docstring coverage because we use them primarily
# for pydantic model configuration.
ignore-nested-classes = true
fail-under = 100

[tool.mypy]
allow_redefinition = true
check_untyped_defs = true
disallow_incomplete_defs = true
disallow_untyped_defs = true
ignore_missing_imports = true
no_implicit_optional = true
show_error_codes = true
sqlite_cache = true
strict_equality = true
warn_no_return = true
warn_redundant_casts = true
warn_return_any = true
warn_unreachable = true
warn_unused_configs = true
warn_unused_ignores = true
plugins = ["pydantic.mypy"]

[tool.bandit]
exclude_dirs = ["./test"]

[tool.ruff.lint]
# Never enforce `E501` (line length violations).
ignore = ["E501"]
# TODO: Enable "UP" here once Pydantic allows us to:
# See: https://github.com/pydantic/pydantic/issues/4146
select = ["E", "F", "I", "W"]