pyproject.toml

[build-system]
requires = ["flit_core >=3.2,<4"]
build-backend = "flit_core.buildapi"

[project]
name = "sigstore"
dynamic = ["version"]
description = "A tool for signing Python package distributions"
readme = "README.md"
license = { file = "LICENSE" }
authors = [
  { name = "Sigstore Authors", email = "sigstore-dev@googlegroups.com" },
]
classifiers = [
  "License :: OSI Approved :: Apache Software License",
  "Programming Language :: Python :: 3 :: Only",
  "Programming Language :: Python :: 3",
  "Programming Language :: Python :: 3.9",
  "Programming Language :: Python :: 3.10",
  "Programming Language :: Python :: 3.11",
  "Programming Language :: Python :: 3.12",
  "Programming Language :: Python :: 3.13",
  "Development Status :: 5 - Production/Stable",
  "Intended Audience :: Developers",
  "Topic :: Security",
  "Topic :: Security :: Cryptography",
]
dependencies = [
  "cryptography >= 42, < 45",
  "id >= 1.1.0",
  "importlib_resources ~= 5.7; python_version < '3.11'",
  "pyasn1 ~= 0.6",
  "pydantic >= 2,< 3",
  "pyjwt >= 2.1",
  "pyOpenSSL >= 23.0.0",
  "requests",
  "rich ~= 13.0",
  "rfc8785 ~= 0.1.2",
  "rfc3161-client >= 0.1.2,< 1.1.0",
  # NOTE(ww): Both under active development, so strictly pinned.
  "sigstore-protobuf-specs == 0.3.2",
  "sigstore-rekor-types == 0.0.18",
  "tuf ~= 6.0",
  "platformdirs ~= 4.2",
]
requires-python = ">=3.9"

[project.scripts]
sigstore = "sigstore._cli:main"

[project.urls]
Homepage = "https://pypi.org/project/sigstore/"
Issues = "https://github.com/sigstore/sigstore-python/issues"
Source = "https://github.com/sigstore/sigstore-python"
Documentation = "https://sigstore.github.io/sigstore-python/"

[project.optional-dependencies]
test = ["pytest", "pytest-cov", "pretend", "coverage[toml]"]
lint = [
  "bandit",
  "interrogate >= 1.7.0",
  "mypy ~= 1.1",
  # NOTE(ww): ruff is under active development, so we pin conservatively here
  # and let Dependabot periodically perform this update.
  "ruff < 0.11.4",
  "types-requests",
  "types-pyOpenSSL",
]
doc = ["mkdocs-material[imaging]", "mkdocstrings-python"]
dev = ["build", "bump >= 1.3.2", "sigstore[doc,test,lint]"]

[tool.coverage.run]
# branch coverage in addition to statement coverage.
branch = true
# FIXME(jl): currently overridden. see: https://pytest-cov.readthedocs.io/en/latest/config.html
# include machine name, process id, and a random number in `.coverage-*` so each file is distinct.
parallel = true
# store relative path info for aggregation across runs with potentially differing filesystem layouts.
# see: https://coverage.readthedocs.io/en/7.1.0/config.html#config-run-relative-files
relative_files = true
# don't attempt code coverage for the CLI entrypoints
omit = ["sigstore/_cli.py"]

[tool.coverage.report]
exclude_lines = [
  "@abc.abstractmethod",
  "@typing.overload",
  "if typing.TYPE_CHECKING",
]

[tool.interrogate]
# don't enforce documentation coverage for packaging, testing, the virtual
# environment, or the CLI (which is documented separately).
exclude = ["env", "test", "sigstore/_cli.py"]
ignore-semiprivate = true
ignore-private = true
# Ignore nested classes for docstring coverage because we use them primarily
# for pydantic model configuration.
ignore-nested-classes = true
fail-under = 100

[tool.mypy]
allow_redefinition = true
check_untyped_defs = true
disallow_incomplete_defs = true
disallow_untyped_defs = true
enable_error_code = ["ignore-without-code", "redundant-expr", "truthy-bool"]
ignore_missing_imports = true
no_implicit_optional = true
sqlite_cache = true
strict = true
strict_equality = true
warn_no_return = true
warn_redundant_casts = true
warn_return_any = true
warn_unreachable = true
warn_unused_configs = true
warn_unused_ignores = true
plugins = ["pydantic.mypy"]

[tool.bandit]
exclude_dirs = ["./test"]

[tool.ruff.lint]
extend-select = ["I", "UP"]
ignore = [
  "UP007",  # https://github.com/pydantic/pydantic/issues/4146
  "UP011",
  "UP015",
]