Metadata-Version: 2.4
Name: signing-tool
Version: 3.7.0
Summary: Laavat Signing Solution CLI Tool
Author-email: Laavat Oy <contact@laavat.com>
License: Copyright (c) 2026 Laavat Oy
        
        All rights reserved.
        
        This software is the proprietary work of Laavat Oy. Use, reproduction, or distribution of this software, in whole or in part, is prohibited without the express prior written permission of Laavat Oy.
        
Project-URL: Documentation, https://docs.laavat.io/democlient/usage/
Project-URL: Homepage, https://docs.laavat.io/
Keywords: signing,cli,pki,certificate,signing-tool,laavat
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: License :: Other/Proprietary License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Requires-Python: >=3.8
Description-Content-Type: text/markdown
License-File: LICENSE
License-File: LICENSES/certifi.txt
License-File: LICENSES/configparser.txt
License-File: LICENSES/cryptography.txt
License-File: LICENSES/jwcrypto.txt
License-File: LICENSES/python-dateutil.txt
License-File: LICENSES/requests.txt
License-File: LICENSES/six.txt
License-File: LICENSES/urllib3.txt
Requires-Dist: certifi>=2017.4.17
Requires-Dist: python-dateutil>=2.1
Requires-Dist: six>=1.10
Requires-Dist: urllib3>=1.23
Requires-Dist: requests>=2.25.1
Requires-Dist: jwcrypto>=1.0
Requires-Dist: configparser>=5.0.2
Requires-Dist: cryptography>=3.4
Provides-Extra: dev
Requires-Dist: autopep8>=1.5.7; extra == "dev"
Requires-Dist: pycodestyle>=2.7.0; extra == "dev"
Requires-Dist: pytest>=7.0; extra == "dev"
Dynamic: license-file

# Laavat Signing Solution CLI Tool

> ⚠️ **Reference Implementation Only** — This is a reference implementation and should **not be used in production**. Security improvements are planned before this tool is productized. Use this for evaluation and development purposes only.

The `signing-tool` package provides the Laavat Signing Solution command-line client.
It supports client registration, product management, image signing, secrets management, and more via the SaaS API.

## Installation

Install from PyPI when released:

```bash
pip install signing-tool
```

Install from source during development:

```bash
cd clients/python3
python3 -m pip install .
```

## Quick Start

Display help:

```bash
signing-tool --help
```

### Secure token input

Passing the token directly with `-t "$TOKEN"` exposes it in your shell history and in process listings (`ps`, `/proc/<pid>/cmdline`). To avoid this, the `-t` option accepts curl-style references that keep the secret out of the command line:

- **`-t @-`** — read the token from **stdin**:

  ```bash
  printf '%s' "$TOKEN" | signing-tool -c -t @- -a https://app.laavat.io/<CustomerName>/api/v1 product getall
  ```

- **`-t @/path/to/tokenfile`** — read the token from a **file** (the tool warns if the file is group/world-readable; use `chmod 600`):

  ```bash
  signing-tool -c -t @/run/secrets/jwt -a https://app.laavat.io/<CustomerName>/api/v1 product getall
  ```

In a configuration file, reference the token by file instead of inlining it (inlining is deprecated and warns on use):

```ini
[service]
url = https://app.laavat.io/<CustomerName>/api/v1
token_file = /run/secrets/jwt
```

These forms integrate cleanly with CI secret managers, which expose secrets as files or on stdin. TLS verification is on by default; `--skipssl` disables it and is intended for local development only.

> A leading `@` is interpreted as a stdin/file reference (the curl convention). OAuth2/JWT tokens never start with `@`, but if you ever need a literal token that does, escape it as `\@token`.

### Recommended usage

Use a configuration file to keep credentials out of command history and logs. Create the file with `config-init`, then run the CLI using the `-n` option.

```bash
config-init -n test.ini -t "$TOKEN" -s -a https://app.laavat.io/<CustomerName>/api/v1
signing-tool -n test.ini product getall
```

### Alternative usage

You can also pass settings directly on the command line, but this is less secure because tokens may become visible in shell history or process listings.

```bash
signing-tool -c -t "$TOKEN" -a https://app.laavat.io/<CustomerName>/api/v1 product getall
```

## Configuration Options

Option 1: create an ini config file using `config-init`:

```bash
config-init -n test.ini -t "$TOKEN" -s -a https://app.laavat.io/<CustomerName>/api/v1
signing-tool -n test.ini product getall
```

Option 2: pass settings directly on the command line (not recommended for secrets):

```bash
signing-tool -c -t "$TOKEN" -a https://app.laavat.io/<CustomerName>/api/v1 product getall
```

## Example Signing Commands

HAB image signing with config file:

```bash
signing-tool -n test.ini imagesigning add SignHABIMG -P <product-id> --operid <operator-id> -p <payload>
```

OCI signing with token and API address:

```bash
signing-tool -c -t "$TOKEN" -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning add SignOCI -P <product-id> --operid <operator-id> -A <artifact>
```

## Requirements

- Python 3.8 or newer
- **SigningService** — The signing-tool CLI depends on the SigningService API client library. This is automatically installed when you install `signing-tool` from PyPI

## Packaging

This package is configured for PyPI distribution using `pyproject.toml` and `setuptools`.
Read the `pyproject.toml` file for package metadata and published package configuration.
