This tool follows a similar train of thought as auth-tarball-from-git and backseat-signed, it uses pypi sigstore attestations as a replacement for signed git tags.
This is highly experimental proof-of-concept code:
- The attestation is not cryptographically verified
- There is no check the envelope and certificate actually belong to the same attestation
If you're good with sigstore and Rust you're very welcome to contribute!
./pypi-provenance-auth --commit "$(git rev-parse HEAD)" \
--subject "cryptography-${pkgver}.tar.gz" \
--attestation-file "./test_data/cryptography-${pkgver}.provenance"This project was started in Stockholm during Hackjunta 2024#2 organized by ln5, after a Debian developer (pabs) requested my take on PEP-740.
GPL-3.0-or-later