Package trust and provenance verification for PyPI consumers.
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
trustcheck
trustcheck is a Python package and CLI for evaluating the trust posture of PyPI releases before they are installed, promoted, or approved.
It combines PyPI metadata, vulnerability records, provenance availability, cryptographic attestation verification, Trusted Publisher identity hints, and repository matching into a single operator-friendly report.
Packages that publish no provenance are treated as needing review rather than as automatic high-risk findings, while invalid provenance, partial coverage, repository mismatches, and known vulnerabilities remain stronger negative signals.
What it checks
For a selected package version, trustcheck can:
- fetch project and release metadata from PyPI
- verify published provenance against artifact digests
- surface Trusted Publisher repository and workflow identity hints
- compare expected repository input against declared and attested signals
- flag publisher drift, missing verification, and known vulnerabilities
- emit concise text output or structured JSON for automation
Installation
pip install trustcheck
Requirements:
- Python
>=3.10 - Network access to PyPI
Quick start
Inspect the latest release:
trustcheck inspect requests
Inspect a specific version:
trustcheck inspect sampleproject --version 4.0.0
Inspect a package and its direct dependencies:
trustcheck inspect sampleproject --version 4.0.0 --with-deps
Inspect the full transitive dependency tree:
trustcheck inspect sampleproject --version 4.0.0 --with-transitive-deps
Require a release to match an expected repository:
trustcheck inspect sampleproject \
--version 4.0.0 \
--expected-repo https://github.com/pypa/sampleproject
Emit JSON for another tool:
trustcheck inspect sampleproject --version 4.0.0 --format json
Fail CI when full verification is missing:
trustcheck inspect sampleproject --version 4.0.0 --strict
Use it from Python:
from trustcheck import inspect_package
report = inspect_package("sampleproject", version="4.0.0", include_dependencies=True)
print(report.recommendation)
Documentation
Full documentation: https://halfblood-prince.github.io/trustcheck/
- Getting started: Installation and Quickstart
- CLI usage: CLI overview, Policies, and Config and offline mode
- Integrations: JSON contract, Python API, and Compatibility
- Trust model: Verification model and repository matching
- Automation: CI integration
- Project details: Development and release process and Changelog
License
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file trustcheck-1.6.1.tar.gz.
File metadata
- Download URL: trustcheck-1.6.1.tar.gz
- Upload date:
- Size: 630.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e5dc09f62a60d498c8237e66088c94d0ed9a41b02b04ccc76319d076f05db5c6
|
|
| MD5 |
0df7f773f021c9afea508d266dfc64a9
|
|
| BLAKE2b-256 |
dff29a8197301d0552edce3d895dfa729f91ca601c5d916c34bb24a4a21ea0f7
|
Provenance
The following attestation bundles were made for trustcheck-1.6.1.tar.gz:
Publisher:
publish.yml on Halfblood-Prince/trustcheck
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
trustcheck-1.6.1.tar.gz -
Subject digest:
e5dc09f62a60d498c8237e66088c94d0ed9a41b02b04ccc76319d076f05db5c6 - Sigstore transparency entry: 1310259606
- Sigstore integration time:
-
Permalink:
Halfblood-Prince/trustcheck@3c4b8880c6b48c53a7000157ad1b83b57ad379cd -
Branch / Tag:
refs/tags/v1.6.1 - Owner: https://github.com/Halfblood-Prince
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@3c4b8880c6b48c53a7000157ad1b83b57ad379cd -
Trigger Event:
push
-
Statement type:
File details
Details for the file trustcheck-1.6.1-py3-none-any.whl.
File metadata
- Download URL: trustcheck-1.6.1-py3-none-any.whl
- Upload date:
- Size: 32.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2ebe96d4ca02db87af0eac9d708198ac268aa2b60a9621b2bcf2fbf414b22602
|
|
| MD5 |
2a78d727295cf0e487f2392fb904a9f8
|
|
| BLAKE2b-256 |
9a32d513c554999d872fdd94072268fd6d66ee0f8f614d602986b4688f220058
|
Provenance
The following attestation bundles were made for trustcheck-1.6.1-py3-none-any.whl:
Publisher:
publish.yml on Halfblood-Prince/trustcheck
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
trustcheck-1.6.1-py3-none-any.whl -
Subject digest:
2ebe96d4ca02db87af0eac9d708198ac268aa2b60a9621b2bcf2fbf414b22602 - Sigstore transparency entry: 1310259669
- Sigstore integration time:
-
Permalink:
Halfblood-Prince/trustcheck@3c4b8880c6b48c53a7000157ad1b83b57ad379cd -
Branch / Tag:
refs/tags/v1.6.1 - Owner: https://github.com/Halfblood-Prince
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@3c4b8880c6b48c53a7000157ad1b83b57ad379cd -
Trigger Event:
push
-
Statement type:
