Skip to content
/ pypi-provenance-auth Public

Highly experimental tool to infer trust to a git commit through pypi sigstore attestations

License

GPL-3.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kpcyrd/pypi-provenance-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
src
src
 
 
test_data
test_data
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

pypi-provenance-auth

This tool follows a similar train of thought as auth-tarball-from-git and backseat-signed, it uses pypi sigstore attestations as a replacement for signed git tags.

⚠️ Missing features ⚠️

This is highly experimental proof-of-concept code:

  • The attestation is not cryptographically verified
  • There is no check the envelope and certificate actually belong to the same attestation

If you're good with sigstore and Rust you're very welcome to contribute!

Usage

./pypi-provenance-auth --commit "$(git rev-parse HEAD)" \
    --subject "cryptography-${pkgver}.tar.gz" \
    --attestation-file "./test_data/cryptography-${pkgver}.provenance"

Trivia

This project was started in Stockholm during Hackjunta 2024#2 organized by ln5, after a Debian developer (pabs) requested my take on PEP-740.

License

GPL-3.0-or-later

About

Highly experimental tool to infer trust to a git commit through pypi sigstore attestations

Topics

rust provenance supply-chain-security sigstore

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages