Digital Attestations and Trusted Publishing via Google Cloud IAM
Project description
gcp-attest
Produce Digital Attestations and use PyPI Trusted Publishing using Google Cloud service accounts.
Why
PyPI encourages Trusted Publishing, but their supported platforms do not include Codeberg. This is understandable: Supporting a new platform means trusting it, and for a long time neither of Codeberg's CI options even had an option to issue OIDC tokens.
PyPI trusts Google's OIDC, though. All OIDC tokens issued by Google Cloud IAM can be exchanged against valid PyPI publishing tokens. The same applies to Sigstore and digital attestations.
Google Cloud OIDC tokens usually represent a service account. There are multiple ways to "log in" as said account to issue tokens:
- Inside a Google Cloud workflow. This is the expected way and already supported by di/id and pypi-attestations.
- Using a long-lived credentials key file.
- Using Workload Identity Federation
The last one is interesting, as it allows us to exchange OIDC tokens from any valid identity provider for Google Cloud tokens. This way, Google Cloud acts like a proxy between PyPI and not (yet) supported OIDC providers.
This project aims to simplify publishing process by offering APIs to create attestations and exchange tokens.
Licence
© 2026 Nikita Karamov
Licensed under the ISC License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file gcp_attest-0.0.1.tar.gz.
File metadata
- Download URL: gcp_attest-0.0.1.tar.gz
- Upload date:
- Size: 56.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6e2cb3b0afc8fd74566f769f8f5f55d5641d9aac7a9fdc66f777c1f8176c646a
|
|
| MD5 |
6a659fe27b3ce8693289c4dc6c5efc86
|
|
| BLAKE2b-256 |
71024e32bca796e31bce625200cc3d3115ad8d12f70f05bdc7f1b28c0f0e1f89
|
Provenance
The following attestation bundles were made for gcp_attest-0.0.1.tar.gz:
Publisher:
pypi-publish@kytta-dev.iam.gserviceaccount.com
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
gcp_attest-0.0.1.tar.gz -
Subject digest:
6e2cb3b0afc8fd74566f769f8f5f55d5641d9aac7a9fdc66f777c1f8176c646a - Sigstore transparency entry: 2156132442
- Sigstore integration time:
-
Token Issuer:
https://accounts.google.com -
Service Account:
pypi-publish@kytta-dev.iam.gserviceaccount.com
-
Statement type:
File details
Details for the file gcp_attest-0.0.1-py3-none-any.whl.
File metadata
- Download URL: gcp_attest-0.0.1-py3-none-any.whl
- Upload date:
- Size: 4.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2a700b2d02f096483916772dcd9c1bd2ac93ea1f15585ba89dc1530122b0ad66
|
|
| MD5 |
b5e5d4d439e781dec38298ddef2b0210
|
|
| BLAKE2b-256 |
2bf614147c18615865d889037e93cf406e55b33ffeffce4544e5cec37fd1e093
|
Provenance
The following attestation bundles were made for gcp_attest-0.0.1-py3-none-any.whl:
Publisher:
pypi-publish@kytta-dev.iam.gserviceaccount.com
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
gcp_attest-0.0.1-py3-none-any.whl -
Subject digest:
2a700b2d02f096483916772dcd9c1bd2ac93ea1f15585ba89dc1530122b0ad66 - Sigstore transparency entry: 2156132340
- Sigstore integration time:
-
Token Issuer:
https://accounts.google.com -
Service Account:
pypi-publish@kytta-dev.iam.gserviceaccount.com
-
Statement type: