Skip to main content
The SuprSend Python SDK is signed and checksummed starting from release v0.18.1. Before installing, you can cryptographically confirm that the package you downloaded was built by SuprSend and has not been modified in transit.

Before you begin

The SuprSend Python SDK ships with two independent trust signals:
  • PyPI Verified details badge — visible on the PyPI project page sidebar. PyPI has confirmed that the GitHub repository linked on the project page is owned by the same account that maintains the package — ruling out typosquatting and metadata spoofing.
  • SHA-256 checksum + Cosign signature — every GitHub release publishes a checksums.txt listing SHA-256 hashes of all release artifacts, signed with SuprSend’s private key using Cosign.
Verification below is a two-step process: first confirm checksums.txt came from SuprSend’s pipeline untampered (Step 4), then confirm your downloaded file matches the hash inside it (Step 5). Both steps are required — Step 4 alone does not verify your package, and Step 5 alone does not verify the source of the hashes.

Prerequisites

You need Cosign installed. It is a single binary with no runtime dependencies. 
brew install cosign
Confirm it is working: 
cosign version

Step 1 — Create a working directory

All files — the package and the three verification assets — must be in the same directory for the checksum step to work. Create a dedicated directory and switch into it before proceeding. 
mkdir suprsend-verify && cd suprsend-verify

Step 2 — Download the package

You have two options. Either way, save the file into the suprsend-verify directory you just created. Option A — pip3 download (recommended) pip3 download fetches the package artifact locally without installing it. The -d . flag saves it into the current directory. 
pip3 download suprsend-py-sdk --no-deps -d .
This places the wheel file (suprsend_py_sdk-0.18.1-py3-none-any.whl) directly in suprsend-verify.
--no-deps prevents pip3 from also downloading dependencies, keeping the directory clean for verification.
Option B — Download directly from PyPI Go to https://pypi.org/project/suprsend-py-sdk/#files, click the .whl filename to download it, then move it into the suprsend-verify directory before continuing.

Step 3 — Download the verification files

Run these commands from inside the suprsend-verify directory: 
VERSION="0.18.1"
BASE="https://github.com/suprsend/suprsend-py-sdk/releases/download/v${VERSION}"

curl -sL -O "${BASE}/checksums.txt"
curl -sL -O "${BASE}/checksums.txt.sig"
curl -sL -O "${BASE}/public_key.pem"
At this point your suprsend-verify directory should contain exactly these files: 
suprsend-verify/
├── checksums.txt
├── checksums.txt.sig
├── public_key.pem
└── suprsend_py_sdk-0.18.1-py3-none-any.whl
FileDescription
checksums.txtSHA-256 hashes of all release artifacts. This is what gets signed.
checksums.txt.sigThe Cosign bundle — contains the signature over checksums.txt and its verification metadata.
public_key.pemSuprSend’s PEM-encoded public key. Used to verify the signature.
Always download public_key.pem directly from the official SuprSend Python SDK releases page. Do not copy it from mirrors or third-party sources.

Step 4 — Verify the signature

cosign verify-blob --key public_key.pem --bundle checksums.txt.sig checksums.txt
This command is identical on macOS, Linux, and Windows (PowerShell). What each argument does:
ArgumentDescription
--key public_key.pemSuprSend’s PEM-encoded public key. Cosign uses this to validate the signature.
--bundle checksums.txt.sigThe Cosign bundle containing the signature and its metadata.
checksums.txtThe artifact being verified — the SHA-256 manifest of all release artifacts.
Expected output: 
Verified OK
Verified OK confirms:
  • The signature was produced using SuprSend’s private key — the key that corresponds to public_key.pem. Only SuprSend’s release pipeline has access to it.
  • checksums.txt is byte-for-byte identical to what was signed at release time.
If you see invalid signature when validating ASN1 encoded signature, do not proceed with installation. Re-download all three verification files from the same release and retry. If the failure persists, contact SuprSend support.

Step 5 — Verify the package checksum

grep "suprsend_py_sdk-0.18.1-py3-none-any.whl" checksums.txt | shasum -a 256 --check
Expected output:
suprsend_py_sdk-0.18.1-py3-none-any.whl: OK
To verify the .tar.gz instead, replace the filename in the command with suprsend_py_sdk-0.18.1.tar.gz.

Step 6 — Install the package

Once both verifications pass, install the SDK: 
pip3 install suprsend-py-sdk

Full script

Creates the working directory, downloads everything into it, verifies both the signature and the checksum, then installs. 
#!/usr/bin/env bash
set -euo pipefail

VERSION="0.18.1"
WHL="suprsend_py_sdk-${VERSION}-py3-none-any.whl"
BASE="https://github.com/suprsend/suprsend-py-sdk/releases/download/v${VERSION}"

mkdir suprsend-verify && cd suprsend-verify

echo "-> Downloading package..."
pip3 download suprsend-py-sdk==${VERSION} --no-deps -d .

echo "-> Downloading verification files..."
curl -sL -O "${BASE}/checksums.txt"
curl -sL -O "${BASE}/checksums.txt.sig"
curl -sL -O "${BASE}/public_key.pem"

echo "-> Verifying signature..."
cosign verify-blob --key public_key.pem --bundle checksums.txt.sig checksums.txt

echo "-> Verifying package checksum..."
grep "${WHL}" checksums.txt | shasum -a 256 --check

echo "-> Installing..."
pip3 install suprsend-py-sdk==${VERSION}

echo "Done. SuprSend Python SDK ${VERSION} installed and verified."

Reference

All artifacts are available on the GitHub releases page and the PyPI files page.
ArtifactDescription
suprsend_py_sdk-{version}-py3-none-any.whlWheel — preferred for installation. Platform-independent.
suprsend_py_sdk-{version}.tar.gzSource distribution.
SuprSend’s signing private key is held exclusively by the automated release pipeline and never leaves the secure signing environment. public_key.pem is the public counterpart — it is published openly with every release and carries no risk of compromise.The PyPI Verified details badge confirms that the GitHub repository linked on the PyPI project page is owned by the same account that publishes the package, providing an additional layer of provenance assurance independent of the Cosign signature.
If you encounter an unexpected verification failure, reach out at support@suprsend.com or open an issue on the SuprSend Python SDK GitHub repository.