Keyring backend for Chainguard Libraries for Python
A Python keyring backend that provides seamless authentication to the Chainguard Libraries for Python repositories at https://libraries.cgr.dev/python and other contexts using Chainguard pull tokens.
This package extends Python's keyring library to automatically authenticate with private package repositories using Chainguard pull tokens. When pip or other Python package managers request credentials for HTTPS repositories ending with .cgr.dev, this backend generates short-lived authentication tokens using the chainctl CLI tool.
- Automatic authentication: Seamlessly integrates with pip, uv, and other Python package managers
- Token caching: Caches credentials to minimize repeated
chainctlcalls - Secure token generation: Uses
chainctlto generate short-lived (8-hour) pull tokens when needed - Tox integration: Includes a tox plugin for authentication in test environments
pip install keyrings-chainguard-libraries- Python 3.9 or higher
chainctlCLI tool installed and configured
Once installed, the keyring backend automatically activates for HTTPS URLs ending with .cgr.dev. When pip or other tools request credentials for a private repository on a *.cgr.dev domain, the backend performs the following steps:
- Check if credentials are cached
- If not cached, run
chainctl auth tokento generate new short-lived credentials and cache them - Return the credentials to the requesting tool
Refer to the Chainguard documentation for more details.
# Install from a private Chainguard repository
pip install package-name --index-url https://libraries.cgr.dev/python/simple/You can test the keyring backend directly:
import keyring
from keyrings.chainctl_auth import ChainctlAuth
# Set the backend
keyring.set_keyring(ChainctlAuth())
# Get credentials for a Chainguard service
password = keyring.get_password("https://libraries.cgr.dev", "username")The ChainctlAuth backend:
- Intercepts credential requests for HTTPS services ending with
.cgr.dev - Executes
chainctl auth token --audience=libraries.cgr.dev - Caches the token for the service
- Returns the token to the requesting application
# Clone the repository
git clone https://github.com/chainguard-dev/keyrings-chainguard-libraries
cd keyrings-chainguard-libraries
# Install in development mode with dev dependencies
pip install -e ".[dev]"# Run tests
pytest
# Run tests with coverage
pytest --cov=keyrings.chainctl_auth
# Run linting
flake8
mypy keyrings/# Build the package
python -m buildThis repo uses pre-commit to run pre-commit hooks.
pre-commit installTo run at any time:
pre-commit run --all-files-
"chainctl command not found"
- Ensure
chainctlis installed and available in your PATH
- Ensure
-
Authentication failures
- Verify
chainctlis properly configured and authenticated - Check that your organization has access to Chainguard Libraries
- Verify
Enable debug logging to troubleshoot issues:
import logging
logging.basicConfig(level=logging.DEBUG)- Credentials are cached in memory only for the duration of the process
- Pull tokens are generated with an 8-hour TTL
- The backend only handles HTTPS URLs for domains ending with
.cgr.devto ensure secure transmission
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a pull request
For issues and questions:
- Open an issue on the GitHub repository
- Contact the maintainers
Alternatively as Chainguard customer, contact your account representative or our support team.