Skip to content

Example: verifying PyPI (PEP 740) attestations #653

Description

@jflacker

PyPI publishes Sigstore-based attestations for uploaded distributions (PEP 740), retrievable via the Integrity API. The attestation object is a re-shaped Sigstore bundle (base64 DER certificate + protojson transparency entries + a DSSE envelope split into statement and signature), so verifying one with sigstore-go requires reconstructing the bundle first — a conversion that isn't documented anywhere in Go today.

I'd like to contribute examples/pypi-attestation-verification: a small CLI in the style of examples/oci-image-verification that fetches a package's provenance from PyPI, rebuilds the Sigstore bundle, and verifies it (signature + transparency log + certificate identity + artifact digest binding) against the public-good trusted root, with a matching docs/ walkthrough.

I have this working already and can open a PR.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions