/source/ · Python 3.11+ · Pure + cryptography · Apache-2.0

reference-python

v1.0.0

Two-tier SignedReceipts package for Python: a 400-LOC pure-Python verifier with no native deps, plus an optional cryptography-backed fast path.

ratified March 2026commit 8af4c92d24 files · 138 KB

About this artefact

signedreceipts on PyPI is the reference Python package. It targets Python 3.11+ and ships in two tiers: a pure-Python verifier (~400 lines, no native dependencies) suitable for sandboxed and edge environments, and an optional [fast] extra that pulls in cryptography for an order-of-magnitude speedup on bulk verification. Both tiers share a single canonicalisation implementation derived from the spec's reference pseudocode.

Wheels are published with twine attestations and the same MANIFEST.sha256 fingerprints as the tarball you can download here. A small signedreceipts.cli entrypoint exposes verify and show for ad-hoc shell use, but the canonical CLI is the Rust binary in verifier-cli.

Manifest

Tar.gz tarball download is published at the spec ratification cadence. Below is the current public manifest (SHA-256 fingerprints, file count, ratification commit).
PathSizeSHA-256
pyproject.toml1.1 KBa23d9ce2ef8f824c3eb63ef5255db18993786e5b1d54906347fcce5dad2d56fb
signedreceipts/__init__.py0.6 KB24d0c053ec087624bc7bb538e3f81a1ea61a3a2dde081e8142bf92a919ad7de0
signedreceipts/canonical.py3.9 KBde1271fc5614910aafc00b3750794d9d888aad874195d9edd42fdb8c5fb55708
signedreceipts/verify.py6.2 KB023277494262e4e69561dcaa98fe44d142617a5764b3dd3a0c8a95cac8047a1f
signedreceipts/jwks.py2.4 KB0a4ea58dd2aa4f23b41840d48c1772a9746a6e899540cf4cedb22dce0f4b27b7
24 files · 138 KB · ratification commit 8af4c92d · signed by working-group key wg-2026-03

Quick start

shell
pip install signedreceipts
# Optional fast path:
# pip install 'signedreceipts[fast]'
verify.py
from signedreceipts import Verifier

v = Verifier.from_jwks_url(
    "https://api.cloakapi.io/.well-known/jwks.json",
)
result = v.verify(receipt_bytes)
assert result.ok, result.reason

Issues / questions

Bug reports, patches, and security advisories all go to the working-group inbox.

open-source@cloakapi.io

Back to /source/ · related: spec · conformance · implementations