Project description

PyPI Attestation Models

A library to convert between Sigstore Bundles and PEP 740 Attestation objects

Installation

python -m pip install pypi-attestation-models

Usage

See the full API documentation here.

Signing and verification

Use these APIs to create a PEP 740-compliant Attestation object by signing a Python artifact (i.e: sdist or wheel files), and to verify an Attestation object against a Python artifact.

from pathlib import Path

from pypi_attestation_models import Attestation, AttestationPayload
from sigstore.oidc import Issuer
from sigstore.sign import SigningContext
from sigstore.verify import Verifier, policy

artifact_path = Path("test_package-0.0.1-py3-none-any.whl")

# Sign a Python artifact
issuer = Issuer.production()
identity_token = issuer.identity_token()
signing_ctx = SigningContext.production()
with signing_ctx.signer(identity_token, cache=True) as signer:
    attestation = AttestationPayload.from_dist(artifact_path).sign(signer)

print(attestation.model_dump_json())

# Verify an attestation against a Python artifact
attestation_path = Path("test_package-0.0.1-py3-none-any.whl.attestation")
attestation = Attestation.model_validate_json(attestation_path.read_bytes())
verifier = Verifier.production()
policy = policy.Identity(identity="example@gmail.com", issuer="https://accounts.google.com")
attestation.verify(verifier, policy, attestation_path)

Low-level model conversions

These conversions assume that any Sigstore Bundle used as an input was created by signing an AttestationPayload object.

from pathlib import Path
from pypi_attestation_models import pypi_to_sigstore, sigstore_to_pypi, Attestation
from sigstore.models import Bundle

# Sigstore Bundle -> PEP 740 Attestation object
bundle_path = Path("test_package-0.0.1-py3-none-any.whl.sigstore")
with bundle_path.open("rb") as f:
    sigstore_bundle = Bundle.from_json(f.read())
attestation_object = sigstore_to_pypi(sigstore_bundle)
print(attestation_object.model_dump_json())


# PEP 740 Attestation object -> Sigstore Bundle
attestation_path = Path("attestation.json")
with attestation_path.open("rb") as f:
    attestation = Attestation.model_validate_json(f.read())
bundle = pypi_to_sigstore(attestation)
print(bundle.to_json())

Project details

These details have not been verified by PyPI

Project links

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

This version

0.0.2

May 16, 2024

0.0.1

May 15, 2024

0.0.1rc2 pre-release

May 8, 2024

0.0.1rc1 pre-release

May 2, 2024

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pypi_attestation_models-0.0.2.tar.gz (8.4 kB view hashes)

Uploaded May 16, 2024 Source

Built Distribution

pypi_attestation_models-0.0.2-py3-none-any.whl (8.8 kB view hashes)

Uploaded May 16, 2024 Python 3

Hashes for pypi_attestation_models-0.0.2.tar.gz

Hashes for pypi_attestation_models-0.0.2.tar.gz
Algorithm	Hash digest
SHA256	`c6dad5ce65466754080714a288442d15033a74966d6a8a911ebf7ae9006dd901`
MD5	`ac013aa6e0672ff5b3572b1aae233c97`
BLAKE2b-256	`a1dc15bc579500a34e354b9f9c6631f5290cf4924dc9aafde87909e170dc2714`

Hashes for pypi_attestation_models-0.0.2-py3-none-any.whl

Hashes for pypi_attestation_models-0.0.2-py3-none-any.whl
Algorithm	Hash digest
SHA256	`8fe145e54e589391b41830741256c538c03c795b74bd8d5a01bbe67c9f795966`
MD5	`15aafc6e254241d39514700b6bbc1bd4`
BLAKE2b-256	`4bdd42e9745eb292eac81a5570d86fdb82544bc455a3b1649f209b37750e011b`