Introduction
Info
Index attestations are currently under active development, and are not yet considered stable.
These pages document PyPI's implementation of digital attestations (PEP 740), including in-toto attestation predicates specific to PyPI itself.
Quick background
Digital attestations enable package maintainers as well as third parties (such as the index itself, external auditors, etc.) to cryptographically sign for uploaded packages.
These signatures bind each release distribution (such as an individual sdist or wheel) to a strong cryptographic digest of its contents, allowing both PyPI and downstream users to verify that a particular package was attested to by a particular identity (such as a GitHub Actions workflow).
These attestations can take multiple forms, including publish attestations for publicly verifiable proof that a package was published via a specific Trusted Publisher, or more general SLSA Provenance attesting to a package's original source location.
Supported attestations
PyPI uses the in-toto Attestation Framework for the attestations it accepts.
Currently, PyPI allows the following attestation predicates:
Each file can be uploaded along its attestations. Currently PyPI supports two attestations per file: one for each of the allowed predicates. Uploads with more than two attestations per file, or with attestations with repeated predicates will be rejected.