Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Research ways to support verifying the PEP 740 digital attestations early #2080

Open
webknjaz opened this issue Apr 26, 2024 · 2 comments
Open

Research ways to support verifying the PEP 740 digital attestations early #2080

webknjaz opened this issue Apr 26, 2024 · 2 comments
Labels
enhancement Improvements to functionality feature Request for a new feature hashes Related to hashes generated via --generate-hashes help wanted Request help from the community needs discussion Need some more discussion needs more info Need more info to clarify issue packaging Packaging related stuff PR wanted Feature is discussed or bug is confirmed, PR needed

Comments

@webknjaz
Copy link
Member

The upstream is moving forward now — pypi/warehouse#15871 — so should pip-tools. I don't yet know what it'll look like here but we need to watch for the opportunities to integrate a preliminary support for such security-related features.
@webknjaz webknjaz added PR wanted Feature is discussed or bug is confirmed, PR needed needs more info Need more info to clarify issue help wanted Request help from the community enhancement Improvements to functionality feature Request for a new feature needs discussion Need some more discussion packaging Packaging related stuff hashes Related to hashes generated via --generate-hashes labels Apr 26, 2024
@webknjaz webknjaz mentioned this issue Apr 26, 2024
Closed
25 tasks
@webknjaz webknjaz changed the title Research supporting for verifying the PEP 740 digital attestations early Research ways to support verifying the PEP 740 digital attestations early Apr 26, 2024
@webknjaz
Copy link
Member Author

@woodruffw does a PoC of the attestation verification exist anywhere?

@woodruffw
Copy link

@woodruffw does a PoC of the attestation verification exist anywhere?

Yes! We have a PoC using the pip plugin architecture that we're currently workshopping in pypa/pip#12985. The PoC is currently in its own private repo, but I'll make it public tomorrow (there's nothing private about it, we were just keeping it unlisted while we experiment with it).

Separate from that, the pypi_attestations docs have some examples of verifying attestations, but those still need to be fleshed out some more with a full example of pulling down a provenance response, extracting the attestations, and verifying them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Improvements to functionality feature Request for a new feature hashes Related to hashes generated via --generate-hashes help wanted Request help from the community needs discussion Need some more discussion needs more info Need more info to clarify issue packaging Packaging related stuff PR wanted Feature is discussed or bug is confirmed, PR needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webknjaz @woodruffw