README: fill in details (#43)

* README: fill in details

* README: add CI badge

* ci, Makefile: enforce `--help` timeliness

* workflows/ci: fix syntax

* CONTRIBUTING: add

* README: link to CONTRIBUTING

* README: flatten, tweak

* setup: move sigstore to alpha

* Update README.md

Co-authored-by: Alex Cameron <[email protected]>

Author: woodruffw

.github/workflows/ci.yml

@@ -27,6 +27,7 @@ jobs:
         run: make dev
       - name: test
         run: make test
+
   lint:
     runs-on: ubuntu-latest
     steps:
@@ -37,26 +38,46 @@ jobs:
       - name: lint
         run: make lint
 
-  # TODO: Enable once CLI development begins.
-  # check-readme:
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@v2
-  #     - uses: actions/setup-python@v2
-  #       # NOTE(ww): Important: use pip-audit's minimum supported Python version
-  #       # in this check, since Python can change the `--help` rendering in
-  #       # `argparse` between major versions.
-  #       with:
-  #         python-version: "3.6"
-  #     - name: deps
-  #       run: make dev
-  #     - name: check-readme
-  #       run: |
-  #         diff \
-  #           <( \
-  #             awk '/@begin-pip-audit-help@/{f=1;next} /@end-pip-audit-help@/{f=0} f' \
-  #               < README.md | sed '1d;$d' \
-  #           ) \
-  #           <( \
-  #             make run ARGS="--help" \
-  #           )
+  check-readme:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        # NOTE(ww): Important: use pip-audit's minimum supported Python version
+        # in this check, since Python can change the `--help` rendering in
+        # `argparse` between major versions.
+        with:
+          python-version: "3.7"
+      - name: deps
+        run: make dev
+      - name: check-readme
+        run: |
+          # sigstore --help
+          diff \
+            <( \
+              awk '/@begin-sigstore-help@/{f=1;next} /@end-sigstore-help@/{f=0} f' \
+                < README.md | sed '1d;$d' \
+            ) \
+            <( \
+              make run ARGS="--help" \
+            )
+
+          # sigstore sign --help
+          diff \
+            <( \
+              awk '/@begin-sigstore-sign-help@/{f=1;next} /@end-sigstore-sign-help@/{f=0} f' \
+                < README.md | sed '1d;$d' \
+            ) \
+            <( \
+              make run ARGS="sign --help" \
+            )
+
+          # sigstore verify --help
+          diff \
+            <( \
+              awk '/@begin-sigstore-verify-help@/{f=1;next} /@end-sigstore-verify-help@/{f=0} f' \
+                < README.md | sed '1d;$d' \
+            ) \
+            <( \
+              make run ARGS="verify --help" \
+            )

CONTRIBUTING.md

@@ -0,0 +1,138 @@
+Contributing to sigstore
+========================
+
+Thank you for your interest in contributing to `sigstore`!
+
+The information below will help you set up a local development environment,
+as well as performing common development tasks.
+
+## Requirements
+
+`sigstore`'s only development environment requirement *should* be Python 3.7
+or newer. Development and testing is actively performed on macOS and Linux,
+but Windows and other supported platforms that are supported by Python
+should also work.
+
+If you're on a system that has GNU Make, you can use the convenience targets
+included in the `Makefile` that comes in the `sigstore` repository detailed
+below. But this isn't required; all steps can be done without Make.
+
+## Development steps
+
+First, clone this repository:
+
+```bash
+git clone https://github.com/trailofbits/sigstore
+cd sigstore
+```
+
+Then, use one of the `Makefile` targets to run a task. The first time this is
+run, this will also set up the local development virtual environment, and will
+install `sigstore` as an editable package into this environment.
+
+Any changes you make to the `sigstore` source tree will take effect
+immediately in the virtual environment.
+
+### Linting
+
+You can lint locally with:
+
+```bash
+make lint
+```
+
+`sigstore` is automatically linted and formatted with a collection of tools:
+
+* [`black`](https://github.com/psf/black): Code formatting
+* [`isort`](https://github.com/PyCQA/isort): Import sorting, ordering
+* [`flake8`](https://flake8.pycqa.org/en/latest/): PEP-8 linting, style enforcement
+* [`mypy`](https://mypy.readthedocs.io/en/stable/): Static type checking
+* [`interrogate`](https://interrogate.readthedocs.io/en/latest/): Documentation coverage
+
+
+### Testing
+
+You can run the tests locally with:
+
+```bash
+make test
+```
+
+You can also filter by a pattern (uses `pytest -k`):
+
+```bash
+make test TESTS=test_version
+```
+
+To test a specific file:
+
+```bash
+make test T=path/to/file.py
+```
+
+`sigstore` has a [`pytest`](https://docs.pytest.org/)-based unit test suite,
+including code coverage with [`coverage.py`](https://coverage.readthedocs.io/).
+
+### Documentation
+
+If you're running Python 3.7 or newer, you can run the documentation build locally:
+
+```bash
+make doc
+```
+
+`sigstore` uses [`pdoc3`](https://github.com/pdoc3/pdoc) to generate HTML documentation for
+the public Python APIs.
+
+Live documentation for the `main` branch is hosted
+[here](https://trailofbits.github.io/sigstore/). Only the public APIs are
+documented, all undocumented APIs are **intentionally private and unstable.**
+
+### Releasing
+
+**NOTE**: If you're a non-maintaining contributor, you don't need the steps
+here! They're documented for completeness and for onboarding future maintainers.
+
+Releases of `sigstore` are managed with [`bump`](https://github.com/di/bump)
+and GitHub Actions.
+
+```bash
+# default release (patch bump)
+make release
+
+# override the default
+# vX.Y.Z -> vX.Y.Z-rc.0
+make release BUMP_ARGS="--pre rc.0"
+
+# vX.Y.Z -> vN.0.0
+make release BUMP_ARGS="--major"
+```
+
+`make release` will fail if there are any untracked changes in the source tree.
+
+If `make release` succeeds, you'll see an output like this:
+
+```
+RUN ME MANUALLY: git push origin main && git push origin vX.Y.Z
+```
+
+Run that last command sequence to complete the release.
+
+## Development practices
+
+Here are some guidelines to follow if you're working on a new feature or changes to
+`sigstore`'s internal APIs:
+
+* *Keep the `sigstore` APIs as private as possible*. Nearly all of `sigstore`'s
+APIs should be private and treated as unstable and unsuitable for public use.
+If you're adding a new module to the source tree, prefix the filename with an underscore to
+emphasize that it's an internal (e.g., `sigstore/_foo.py` instead of `sigstore/foo.py`).
+
+* *Perform judicious debug logging.* `sigstore` uses the standard Python
+[`logging`](https://docs.python.org/3/library/logging.html) module. Use
+`logger.debug` early and often -- users who experience errors can submit better
+bug reports when their debug logs include helpful context!
+
+* *Update the [CHANGELOG](./CHANGELOG.md)*. If your changes are public or result
+in changes to `sigstore`'s CLI, please record them under the "Unreleased" section,
+with an entry in an appropriate subsection ("Added", "Changed", "Removed", or "Fixed").

Makefile

@@ -37,7 +37,7 @@ dev:
 
 .PHONY: run
 run:
-	@. env/bin/activate && pip-audit $(ARGS)
+	@. env/bin/activate && sigstore $(ARGS)
 
 .PHONY: lint
 lint:

README.md

@@ -1,9 +1,91 @@
 sigstore-python
 ===============
 
-⚠️ This project is not ready for use! ⚠️
+<!--- @begin-badges@ --->
+![CI](https://github.com/trailofbits/sigstore-python/workflows/CI/badge.svg)
+<!--- @end-badges@ --->
 
-`sigstore` is a tool for signing Python package distributions.
+⚠️ This project is not ready for general-purpose use! ⚠️
+
+`sigstore` is a tool for signing and verifying Python package distributions.
 
 This project is developed by [Trail of Bits](https://www.trailofbits.com/) with
 support from Google. This is not an official Google product.
+
+## Features
+
+* Support for signing Python package distributions using an OpenID Connect identity
+* Support for publishing signatures to a [Rekor](https://github.com/sigstore/rekor) instance
+* Support for verifying signatures on Python package distributions
+
+## Installation
+
+`sigstore` requires Python 3.7 or newer, and can be installed directly via `pip`:
+
+```console
+python -m pip install sigstore
+```
+
+## Usage
+
+You can run `sigstore` as a standalone program, or via `python -m`:
+
+```console
+sigstore --help
+python -m sigstore --help
+```
+
+Top-level:
+
+<!-- @begin-sigstore-help@ -->
+```
+Usage: sigstore [OPTIONS] COMMAND [ARGS]...
+
+Options:
+  --help  Show this message and exit.
+
+Commands:
+  sign
+  verify
+```
+<!-- @end-sigstore-help@ -->
+
+Signing:
+
+<!-- @begin-sigstore-sign-help@ -->
+```
+Usage: sigstore sign [OPTIONS] FILE
+
+Options:
+  --identity-token TEXT
+  --ctfe FILENAME
+  --help                 Show this message and exit.
+```
+<!-- @end-sigstore-sign-help@ -->
+
+Verifying
+
+<!-- @begin-sigstore-verify-help@ -->
+```
+Usage: sigstore verify [OPTIONS] FILE
+
+Options:
+  --cert FILENAME       [required]
+  --signature FILENAME  [required]
+  --cert-email TEXT
+  --help                Show this message and exit.
+```
+<!-- @end-sigstore-verify-help@ -->
+
+## Licensing
+
+`sigstore` is licensed under the Apache 2.0 License.
+
+## Contributing
+
+See [the contributing docs](CONTRIBUTING.md) for details.
+
+## Code of Conduct
+Everyone interacting with this project is expected to follow the
+[PSF Code of Conduct](https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md).
+

setup.py

@@ -67,7 +67,7 @@
         "Programming Language :: Python :: 3.8",
         "Programming Language :: Python :: 3.9",
         "Programming Language :: Python :: 3.10",
-        "Development Status :: 1 - Planning",
+        "Development Status :: 3 - Alpha",
         "Intended Audience :: Developers",
         "Topic :: Security",
         "Topic :: Security :: Cryptography",