Skip to main content

A library to convert between Sigstore Bundles and PEP-740 Attestation objects

Project description

PyPI Attestation Models

CI PyPI version Packaging status

A library to convert between Sigstore Bundles and PEP 740 Attestation objects

Installation

python -m pip install pypi-attestation-models

Usage

See the full API documentation here.

Signing and verification

Use these APIs to create a PEP 740-compliant Attestation object by signing a Python artifact (i.e: sdist or wheel files), and to verify an Attestation object against a Python artifact.

from pathlib import Path

from pypi_attestation_models import Attestation, AttestationPayload
from sigstore.oidc import Issuer
from sigstore.sign import SigningContext
from sigstore.verify import Verifier, policy

artifact_path = Path("test_package-0.0.1-py3-none-any.whl")

# Sign a Python artifact
issuer = Issuer.production()
identity_token = issuer.identity_token()
signing_ctx = SigningContext.production()
with signing_ctx.signer(identity_token, cache=True) as signer:
    attestation = AttestationPayload.from_dist(artifact_path).sign(signer)

print(attestation.model_dump_json())

# Verify an attestation against a Python artifact
attestation_path = Path("test_package-0.0.1-py3-none-any.whl.attestation")
attestation = Attestation.model_validate_json(attestation_path.read_bytes())
verifier = Verifier.production()
policy = policy.Identity(identity="example@gmail.com", issuer="https://accounts.google.com")
attestation.verify(verifier, policy, attestation_path)

Low-level model conversions

These conversions assume that any Sigstore Bundle used as an input was created by signing an AttestationPayload object.

from pathlib import Path
from pypi_attestation_models import pypi_to_sigstore, sigstore_to_pypi, Attestation
from sigstore.models import Bundle

# Sigstore Bundle -> PEP 740 Attestation object
bundle_path = Path("test_package-0.0.1-py3-none-any.whl.sigstore")
with bundle_path.open("rb") as f:
    sigstore_bundle = Bundle.from_json(f.read())
attestation_object = sigstore_to_pypi(sigstore_bundle)
print(attestation_object.model_dump_json())


# PEP 740 Attestation object -> Sigstore Bundle
attestation_path = Path("attestation.json")
with attestation_path.open("rb") as f:
    attestation = Attestation.model_validate_json(f.read())
bundle = pypi_to_sigstore(attestation)
print(bundle.to_json())

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pypi_attestation_models-0.0.5.tar.gz (9.7 kB view details)

Uploaded Source

Built Distribution

pypi_attestation_models-0.0.5-py3-none-any.whl (10.0 kB view details)

Uploaded Python 3

File details

Details for the file pypi_attestation_models-0.0.5.tar.gz.

File metadata

File hashes

Hashes for pypi_attestation_models-0.0.5.tar.gz
Algorithm Hash digest
SHA256 cceb48aec1c9d93d880d2a6c8c9581bedb503b66203e37081e1ba2e863b6bac9
MD5 2cb2f386cfa00c84962715dff3be245c
BLAKE2b-256 f047c5c791a553e6b07d8bdebaec8239921aa4f70134ddc804ac0aa95a575f56

See more details on using hashes here.

File details

Details for the file pypi_attestation_models-0.0.5-py3-none-any.whl.

File metadata

File hashes

Hashes for pypi_attestation_models-0.0.5-py3-none-any.whl
Algorithm Hash digest
SHA256 d105bc4cf167d4d1db180177bc464bcc4cea8437cdc583c6598424b712c8b068
MD5 9b8e71696f4b954f5cc7e4583b5ab4eb
BLAKE2b-256 0e06accdc6d290d52eaa398dd7c6d1d8dced62075550325b1145c76502e0f442

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page