Skip to content
/ pypi-attestation-models Public

A library to convert between Sigstore Bundles and PEP-740 Attestation objects

License

Apache-2.0 license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

trailofbits/pypi-attestation-models

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits

.github

.github

 
 

src/pypi_attestation_models

src/pypi_attestation_models

 
 

test

test

 
 

.gitignore

.gitignore

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

pyproject.toml

pyproject.toml

 
 

Repository files navigation

PyPI Attestation Models

CI PyPI version Packaging status

A library to convert between Sigstore Bundles and PEP 740 Attestation objects

Installation

python -m pip install pypi-attestation-models

Usage

See the full API documentation here.

Signing and verification

Use these APIs to create a PEP 740-compliant Attestation object by signing a Python artifact (i.e: sdist or wheel files), and to verify an Attestation object against a Python artifact.

from pathlib import Path

from pypi_attestation_models import Attestation, AttestationPayload
from sigstore.oidc import Issuer
from sigstore.sign import SigningContext
from sigstore.verify import Verifier, policy

artifact_path = Path("test_package-0.0.1-py3-none-any.whl")

# Sign a Python artifact
issuer = Issuer.production()
identity_token = issuer.identity_token()
signing_ctx = SigningContext.production()
with signing_ctx.signer(identity_token, cache=True) as signer:
    attestation = AttestationPayload.from_dist(artifact_path).sign(signer)

print(attestation.model_dump_json())

# Verify an attestation against a Python artifact
attestation_path = Path("test_package-0.0.1-py3-none-any.whl.attestation")
attestation = Attestation.model_validate_json(attestation_path.read_bytes())
verifier = Verifier.production()
policy = policy.Identity(identity="[email protected]", issuer="https://accounts.google.com")
attestation.verify(verifier, policy, attestation_path)

Low-level model conversions

These conversions assume that any Sigstore Bundle used as an input was created by signing an AttestationPayload object.

from pathlib import Path
from pypi_attestation_models import pypi_to_sigstore, sigstore_to_pypi, Attestation
from sigstore.models import Bundle

# Sigstore Bundle -> PEP 740 Attestation object
bundle_path = Path("test_package-0.0.1-py3-none-any.whl.sigstore")
with bundle_path.open("rb") as f:
    sigstore_bundle = Bundle.from_json(f.read())
attestation_object = sigstore_to_pypi(sigstore_bundle)
print(attestation_object.model_dump_json())


# PEP 740 Attestation object -> Sigstore Bundle
attestation_path = Path("attestation.json")
with attestation_path.open("rb") as f:
    attestation = Attestation.model_validate_json(f.read())
bundle = pypi_to_sigstore(attestation)
print(bundle.to_json())

About

A library to convert between Sigstore Bundles and PEP-740 Attestation objects

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 4

v0.0.2 Latest
May 16, 2024
+ 3 releases

Packages

No packages published

Contributors 2

Languages