A library to convert between Sigstore Bundles and PEP-740 Attestation objects
Project description
PyPI Attestation Models
A library to convert between Sigstore Bundles and PEP 740 Attestation objects
Installation
python -m pip install pypi-attestation-models
Usage
See the full API documentation here.
Signing and verification
Use these APIs to create a PEP 740-compliant Attestation object by signing a Python artifact
(i.e: sdist or wheel files), and to verify an Attestation object against a Python artifact.
from pathlib import Path
from pypi_attestation_models import Attestation, AttestationPayload
from sigstore.oidc import Issuer
from sigstore.sign import SigningContext
from sigstore.verify import Verifier, policy
artifact_path = Path("test_package-0.0.1-py3-none-any.whl")
# Sign a Python artifact
issuer = Issuer.production()
identity_token = issuer.identity_token()
signing_ctx = SigningContext.production()
with signing_ctx.signer(identity_token, cache=True) as signer:
attestation = AttestationPayload.from_dist(artifact_path).sign(signer)
print(attestation.model_dump_json())
# Verify an attestation against a Python artifact
attestation_path = Path("test_package-0.0.1-py3-none-any.whl.attestation")
attestation = Attestation.model_validate_json(attestation_path.read_bytes())
verifier = Verifier.production()
policy = policy.Identity(identity="example@gmail.com", issuer="https://accounts.google.com")
attestation.verify(verifier, policy, attestation_path)
Low-level model conversions
These conversions assume that any Sigstore Bundle used as an input was created
by signing an AttestationPayload object.
from pathlib import Path
from pypi_attestation_models import pypi_to_sigstore, sigstore_to_pypi, Attestation
from sigstore.models import Bundle
# Sigstore Bundle -> PEP 740 Attestation object
bundle_path = Path("test_package-0.0.1-py3-none-any.whl.sigstore")
with bundle_path.open("rb") as f:
sigstore_bundle = Bundle.from_json(f.read())
attestation_object = sigstore_to_pypi(sigstore_bundle)
print(attestation_object.model_dump_json())
# PEP 740 Attestation object -> Sigstore Bundle
attestation_path = Path("attestation.json")
with attestation_path.open("rb") as f:
attestation = Attestation.model_validate_json(f.read())
bundle = pypi_to_sigstore(attestation)
print(bundle.to_json())
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pypi_attestation_models-0.0.4a1.tar.gz.
File metadata
- Download URL: pypi_attestation_models-0.0.4a1.tar.gz
- Upload date:
- Size: 8.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.0.0 CPython/3.12.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | bffba11c016231ec1a3535db1fa90fd6673c04d0077406c67b9549c5e9f34e9f |
|
| MD5 | 5280106b1b0a7464ebb36d09e3edaa95 |
|
| BLAKE2b-256 | 216ea85c2b7479afd346df3ca1b8ef3343bc98b18fbbee0db7cc50f1c5609ecf |
File details
Details for the file pypi_attestation_models-0.0.4a1-py3-none-any.whl.
File metadata
- Download URL: pypi_attestation_models-0.0.4a1-py3-none-any.whl
- Upload date:
- Size: 8.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.0.0 CPython/3.12.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 94254a5a06c5eb8b3d234064be1409ec8152afd2d9001fe2b230e1c775728eb7 |
|
| MD5 | 1988026a01985a2ac157d8b1e996fc7e |
|
| BLAKE2b-256 | 04f39b715dd24582633e6a6bf5a1c903b23d74ceb7e9b6985b0dc0605c90356e |
