PyPI Publish Attestation (v1)
Info
Index attestations are currently under active development, and are not yet considered stable.
Type URI: https://docs.pypi.org/attestations/publish/v1
Version 1.0
Purpose
To provide a minimal, "implicit" digital attestation for PyPI packages published via Trusted Publishing.
Use Cases
A Trusted Publisher can produce this attestation during the publishing process for a particular release of a PyPI project. This allows consumers of that project to verify the following:
- That a particular release distribution (i.e. sdist or wheel) was, in fact, uploaded via a Trusted Publisher and not some other publishing mechanism (such as a locally-held API token).
- That a specific Trusted Publisher identity was used to publish to the project, such as a particular GitHub Actions workflow, GitLab identity, etc.
Put together, these allow users to assert a higher degree of confidence in the integrity (but not necessarily trustworthiness) of projects published to PyPI, by asserting that the package's files are published via a short-lived credential corresponding to a specific machine identity (such as a GitHub Actions workflow).
This can be further composed with monitoring, e.g. for changes to a PyPI project's attested Trusted Publisher over time, indicating potentially malicious changes to the project.
Prerequisites
This predicate depends on the in-toto Attestation Framework.
Model
This predicate conveys a Trusted Publisher's intent to publish a package to PyPI.
It implicitly communicates the state of the Trusted Publisher (at the time of publishing) via the identity that produced the signature. This identity can be cross-checked during verification, per PEP 740, via the "provenance" objects served by PyPI's index APIs.
Schema
This predicate has no schema. The Type URI is the only required field,
and it MUST be https://docs.pypi.org/attestations/publish/v1
.
The predicate
body itself MUST be either empty
(meaning an empty JSON object, {}
) or not supplied (meaning JSON null
).