Store attestations for PEP740 #16302
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Conflicts: # warehouse/forklift/legacy.py
DarkaMaul
commented
Jul 18, 2024
25 tasks
facutuesca
reviewed
Jul 19, 2024
facutuesca
suggested changes
Jul 25, 2024
warehouse/migrations/versions/7a195fd3f903_create_release_attestations_table.py
Outdated
Show resolved
Hide resolved
woodruffw
reviewed
Jul 25, 2024
|
Let put this one on hold until trailofbits/pypi-attestations#36 is merged. |
Exactly |
di
reviewed
Aug 15, 2024
woodruffw
reviewed
Aug 15, 2024
…te Provenance related objects
# Conflicts: # warehouse/forklift/legacy.py
DarkaMaul
force-pushed
the
dm/store-attestations
branch
from
6d35ff3
to
eec0b46
Compare
di
reviewed
Aug 19, 2024
di
approved these changes
Aug 21, 2024
woodruffw
reviewed
Aug 21, 2024
Signed-off-by: William Woodruff <[email protected]>
di
added a commit
to di/warehouse
that referenced
this pull request
Aug 21, 2024
This reverts commit 5545884.
di
added a commit
that referenced
this pull request
Aug 21, 2024
woodruffw
added a commit
to trail-of-forks/warehouse
that referenced
this pull request
Aug 21, 2024
This reverts commit da7e1ed.
This was referenced Aug 26, 2024
ewdurbin
pushed a commit
that referenced
this pull request
Sep 3, 2024
* Reapply "Store attestations for PEP740 (#16302)" (#16545) This reverts commit da7e1ed. * migrations: re-roll migration history Signed-off-by: William Woodruff <[email protected]> * config: register .attestations for inclusion Signed-off-by: William Woodruff <[email protected]> * attestations: request the appropriate IFileStorage service IFileStorage requires a name to disambiguate it. Signed-off-by: William Woodruff <[email protected]> * conftest: add archive_files.path to get_app_config Signed-off-by: William Woodruff <[email protected]> * test, warehouse: remove problematic mocks This removes two mocked `db_request`s from the simple index tests. These mocks were masking larger architectural issues with both attestations and our test scaffolding for attestations. This isn't quite complete yet, since it does a nasty thing (uses a file storage with a tmpdir) to get IntegrityService initialization working. Signed-off-by: William Woodruff <[email protected]> * test_services: rename test class Signed-off-by: William Woodruff <[email protected]> * Try to clean a bit the mess with the migrations. * begin refactoring IntegrityService This reduces the overall API surface for IIntegrityService implementers, and adds an initial NullIntegrityService to make unit-level testing simpler. Signed-off-by: William Woodruff <[email protected]> * Revert "Try to clean a bit the mess with the migrations." This reverts commit e19be6c. * tests, warehouse: more error tests, remove more stubs Signed-off-by: William Woodruff <[email protected]> * test_services: fix match Signed-off-by: William Woodruff <[email protected]> * remove more implicit file service deps Signed-off-by: William Woodruff <[email protected]> * continue to burn down coverage Remove more ad-hoc stubs as well. Signed-off-by: William Woodruff <[email protected]> * full coverage Signed-off-by: William Woodruff <[email protected]> * test_simple: positive provenance test for /simple Signed-off-by: William Woodruff <[email protected]> * tests: minimize, increase confidence in behavior Signed-off-by: William Woodruff <[email protected]> * Update warehouse/config.py Co-authored-by: dm <[email protected]> * packaging/test_utils: remove another mock Signed-off-by: William Woodruff <[email protected]> * Remove even more mocks * Update tests/conftest.py Co-authored-by: William Woodruff <[email protected]> * Update test_create_service * Add a functional test * Linting * Fixup migration * Fix test error * Revert change * Apply suggestions from code review Rename key Co-authored-by: Dustin Ingram <[email protected]> * Revert "Apply suggestions from code review " This reverts commit 52931a1. * Give the IntegrityService access to the session * Add the Attestation object to the session * Update the functional test with more assertions * Remove vestigial helper * Update functional test --------- Signed-off-by: William Woodruff <[email protected]> Co-authored-by: Alexis <[email protected]> Co-authored-by: dm <[email protected]> Co-authored-by: Dustin Ingram <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
This PR follows #16063 and #15952 and build on them.
After verifying attestations, this PR introduces their storage and retrieval when needed.
Main changes
At upload time
storageservice.Provenancefile is generated and stored with the release fileAt download time
simpleAPI (JSON/HTML), if attestations exist for the release :provenancewith the sha256 of the provenance file is setdata-provenanceis set with the same valueImplementations choices
TODOs
/cc @woodruffw @facutuesca