Skip to main content

Digital Attestations and Trusted Publishing via Google Cloud IAM

Project description

gcp-attest

Produce Digital Attestations and use PyPI Trusted Publishing using Google Cloud service accounts.

Why

PyPI encourages Trusted Publishing, but their supported platforms do not include Codeberg. This is understandable: Supporting a new platform means trusting it, and for a long time neither of Codeberg's CI options even had an option to issue OIDC tokens.

PyPI trusts Google's OIDC, though. All OIDC tokens issued by Google Cloud IAM can be exchanged against valid PyPI publishing tokens. The same applies to Sigstore and digital attestations.

Google Cloud OIDC tokens usually represent a service account. There are multiple ways to "log in" as said account to issue tokens:

  1. Inside a Google Cloud workflow. This is the expected way and already supported by di/id and pypi-attestations.
  2. Using a long-lived credentials key file.
  3. Using Workload Identity Federation

The last one is interesting, as it allows us to exchange OIDC tokens from any valid identity provider for Google Cloud tokens. This way, Google Cloud acts like a proxy between PyPI and not (yet) supported OIDC providers.

This project aims to simplify publishing process by offering APIs to create attestations and exchange tokens.

Licence

© 2026 Nikita Karamov
Licensed under the ISC License

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gcp_attest-0.3.0a1.tar.gz (155.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

gcp_attest-0.3.0a1-py3-none-any.whl (7.8 kB view details)

Uploaded Python 3

File details

Details for the file gcp_attest-0.3.0a1.tar.gz.

File metadata

  • Download URL: gcp_attest-0.3.0a1.tar.gz
  • Upload date:
  • Size: 155.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.2.0 CPython/3.14.6

File hashes

Hashes for gcp_attest-0.3.0a1.tar.gz
Algorithm Hash digest
SHA256 4d144c833aae693ec2b61c85ed69d9b5650e4d1e1dc2b6c6d55f518bed9d27e7
MD5 a18a66b8455bc73b956dd1e41ce20a36
BLAKE2b-256 8186b524f6a20aa26c5cf56c4e030397a0885a7cf787adb63861ae8d39dedac7

See more details on using hashes here.

Provenance

The following attestation bundles were made for gcp_attest-0.3.0a1.tar.gz:

Publisher: pypi-publish@kytta-dev.iam.gserviceaccount.com

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.
  • Statement: Publication detail:
    • Token Issuer: https://accounts.google.com
    • Service Account: pypi-publish@kytta-dev.iam.gserviceaccount.com

File details

Details for the file gcp_attest-0.3.0a1-py3-none-any.whl.

File metadata

  • Download URL: gcp_attest-0.3.0a1-py3-none-any.whl
  • Upload date:
  • Size: 7.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.2.0 CPython/3.14.6

File hashes

Hashes for gcp_attest-0.3.0a1-py3-none-any.whl
Algorithm Hash digest
SHA256 7d07f73f6db28e6920e51c6d75ce75068ae8f6cdc366313c1fbd438c0ad40cd0
MD5 c501b2a0d79df874fad4f9b4edf5fc09
BLAKE2b-256 2bd24a2d65950341147cf26d006d8909eff361716b1f5e4e5836ae46d85b3bb0

See more details on using hashes here.

Provenance

The following attestation bundles were made for gcp_attest-0.3.0a1-py3-none-any.whl:

Publisher: pypi-publish@kytta-dev.iam.gserviceaccount.com

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.
  • Statement: Publication detail:
    • Token Issuer: https://accounts.google.com
    • Service Account: pypi-publish@kytta-dev.iam.gserviceaccount.com

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page