Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PEP 740: initial attestation docs #16063

Closed
wants to merge 27 commits into from
Closed
Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
9390173
initial attestations user docs
woodruffw Jun 6, 2024
01ee51a
more background, use preview
woodruffw Jun 6, 2024
e4cd67f
docs: more improvements
woodruffw Jun 10, 2024
a53df03
docs: attestation internals
woodruffw Jun 12, 2024
8a69bed
Merge branch 'main' into ww/attestations-docs
woodruffw Jun 12, 2024
18f7f25
Update docs/user/attestations/internals.md
woodruffw Jun 14, 2024
18adc03
publish/v1: clarify the signing target
woodruffw Jun 14, 2024
67e308c
Merge branch 'main' into ww/attestations-docs
woodruffw Jun 14, 2024
6220f33
Apply suggestions from code review
woodruffw Jun 14, 2024
3d82765
Merge branch 'main' into ww/attestations-docs
woodruffw Jun 17, 2024
647307b
v1: be explicit about payload
woodruffw Jun 20, 2024
9cb9d43
Merge branch 'main' into ww/attestations-docs
woodruffw Jun 21, 2024
0c38630
attestations: avoid "index attestations"
woodruffw Jun 21, 2024
8c8ac18
attestations/internals: remove another confusing phrase
woodruffw Jun 21, 2024
8bd8d10
Merge branch 'main' into ww/attestations-docs
woodruffw Jun 24, 2024
d243656
Merge branch 'main' into ww/attestations-docs
woodruffw Jul 2, 2024
5e3da1b
Merge branch 'main' into ww/attestations-docs
woodruffw Jul 12, 2024
56a8f29
Apply suggestions from code review
woodruffw Jul 12, 2024
2f26c08
docs: move internals doc to dev-docs
woodruffw Jul 12, 2024
42ad14b
dev: fix backticks
woodruffw Jul 12, 2024
23fdb5f
lintage, add note about trust
woodruffw Jul 13, 2024
012b2c6
Merge branch 'main' into ww/attestations-docs
woodruffw Jul 13, 2024
96e0d01
docs/dev: add callout for user docs
woodruffw Jul 13, 2024
52b004c
Update attestation-internals.rst
woodruffw Jul 17, 2024
a0bdd34
Update attestation-internals.rst
woodruffw Jul 18, 2024
1fbb3e0
Merge branch 'main' into ww/attestations-docs
woodruffw Jul 18, 2024
9de4a8d
Merge branch 'main' into ww/attestations-docs
woodruffw Jul 18, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion docs/mkdocs-user-docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ markdown_extensions:
- pymdownx.superfences
- pymdownx.tabbed:
alternate_style: true
slugify: !!python/object/apply:pymdownx.slugs.slugify {kwds: {case: lower}}
slugify:
!!python/object/apply:pymdownx.slugs.slugify { kwds: { case: lower } }
- tables
theme:
name: material
Expand Down Expand Up @@ -66,3 +67,7 @@ nav:
- "trusted-publishers/security-model.md"
- "trusted-publishers/troubleshooting.md"
- "trusted-publishers/internals.md"
- "Digital Attestations":
- "attestations/index.md"
- "attestations/publish/v1.md"
- "attestations/internals.md"
47 changes: 47 additions & 0 deletions docs/user/attestations/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
title: Introduction
---

<!--[[ preview('index-attestations') ]]-->

These pages document PyPI's implementation of index attestations ([PEP 740]),
including in-toto attestation predicates specific to PyPI itself.

## Quick background

*Index attestations* enable package maintainers as well as third parties (such
as the index itself, external auditors, etc.) to *cryptographically sign*
for uploaded packages.

These signatures bind each release distribution (such as an individual sdist or
wheel) to a strong cryptographic digest of its contents, allowing both PyPI
and downstream users to verify that a particular package was attested to by
a particular identity (such as a GitHub Actions workflow).

These attestations can take multiple forms, including [publish attestations]
for publicly verifiable proof that a package was published via a specific
[Trusted Publisher], or more general [SLSA Provenance] attesting to a package's
original source location.

## Supported attestations

PyPI uses the [in-toto Attestation Framework] for the attestations it accepts.

Currently, PyPI allows the following attestation predicates:

* [SLSA Provenance]
* [PyPI Publish]

[in-toto Attestation Framework]: https://github.com/in-toto/attestation/blob/main/spec/README.md

[PEP 740]: https://peps.python.org/pep-0740/

[PyPI Publish]: /attestations/publish/v1/

[publish attestations]: /attestations/publish/v1/

[Trusted Publisher]: /trusted-publishers/

[SLSA Provenance]: https://slsa.dev/spec/v1.0/provenance


Loading
Loading