PyPI package maintainers can now publish signed digital attestations when publishing, in order to further increase trust in the supply-chain security

PyPI now supports digital attestations

submited by
Style Pass
2024-11-14 14:30:03

PyPI package maintainers can now publish signed digital attestations when publishing, in order to further increase trust in the supply-chain security of their projects. Additionally, a new API is available for consumers and installers to verify published attestations.

This finalizes PyPI's support for PEP 740, and follows directly from previous work to add support for Trusted Publishing, as well as the deprecation and removal of PGP signatures.

PyPI's support for digital attestations has three key advantages over regular cryptographic signatures, such as those provided by PGP:

Much more detail is provided in a corresponding blog post by Trail of Bits: Attestations: a new generation of signatures on PyPI.

For consumers and package installers wanting to perform verification, PyPI currently provides two ways to access digital attestations associated with a given file on PyPI:

A new Integrity API for PyPI The Integrity API provides programmatic access to PyPI's implementation of PEP 740. Operating on individual files, it collects all published attestations for a given file and returns them as a single response.

Leave a Comment