A library to convert between Sigstore Bundles and PEP-740 Attestation objects
Project description
PyPI Attestation Models
A library to convert between Sigstore Bundles and PEP 740 Attestation objects
Installation
python -m pip install pypi-attestation-models
Usage
See the full API documentation here.
Signing and verification
Use these APIs to create a PEP 740-compliant Attestation
object by signing a Python artifact
(i.e: sdist or wheel files), and to verify an Attestation
object against a Python artifact.
from pathlib import Path
from pypi_attestation_models import Attestation, AttestationPayload
from sigstore.oidc import Issuer
from sigstore.sign import SigningContext
from sigstore.verify import Verifier, policy
artifact_path = Path("test_package-0.0.1-py3-none-any.whl")
# Sign a Python artifact
issuer = Issuer.production()
identity_token = issuer.identity_token()
signing_ctx = SigningContext.production()
with signing_ctx.signer(identity_token, cache=True) as signer:
attestation = AttestationPayload.from_dist(artifact_path).sign(signer)
print(attestation.model_dump_json())
# Verify an attestation against a Python artifact
attestation_path = Path("test_package-0.0.1-py3-none-any.whl.attestation")
attestation = Attestation.model_validate_json(attestation_path.read_bytes())
verifier = Verifier.production()
policy = policy.Identity(identity="example@gmail.com", issuer="https://accounts.google.com")
attestation.verify(verifier, policy, attestation_path)
Low-level model conversions
These conversions assume that any Sigstore Bundle used as an input was created
by signing an AttestationPayload
object.
from pathlib import Path
from pypi_attestation_models import pypi_to_sigstore, sigstore_to_pypi, Attestation
from sigstore.models import Bundle
# Sigstore Bundle -> PEP 740 Attestation object
bundle_path = Path("test_package-0.0.1-py3-none-any.whl.sigstore")
with bundle_path.open("rb") as f:
sigstore_bundle = Bundle.from_json(f.read())
attestation_object = sigstore_to_pypi(sigstore_bundle)
print(attestation_object.model_dump_json())
# PEP 740 Attestation object -> Sigstore Bundle
attestation_path = Path("attestation.json")
with attestation_path.open("rb") as f:
attestation = Attestation.model_validate_json(f.read())
bundle = pypi_to_sigstore(attestation)
print(bundle.to_json())
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for pypi_attestation_models-0.0.4a2.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | c9709ce6fd5b67b59b4a28758cf14d3f411803c4b89b6068b1f1a8e4ee94c8ef |
|
MD5 | 56fb63160b5f49b2c4a832cc724e9c0a |
|
BLAKE2b-256 | 92ae8046161ab4da3267a0f4e905e8aa2d9769eacb4300354b917c2461f54949 |
Close
Hashes for pypi_attestation_models-0.0.4a2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 57c42175adf5ed7f741c4482db1204954d7cf05300c85e4bd9fa32d7bfc52053 |
|
MD5 | da7506d323b5ffaaa9d8b2e74d038bec |
|
BLAKE2b-256 | 4e3792de08cb8751eb81f58cd4b4af0d8ab669e3bff15e261de0e6de6dabd045 |