Draft: PEP 740 attestations for PyPI: add git source commit digest (closed: not required - the commit is already included)

[jayaddison]

Feature or Bugfix

• Feature

Purpose

• In the PEP740 attestation for releases, include a Build Signer Digest reference to the commit that the release was built from (thank you @woodruffw for the pointer).

Detail

• • Use the GitHub Actions attest action to provide the digest, following a readme example.

Relates

• Follow-up to Generate PEP 740 attestations for PyPI #12981.

cc @AA-Turner - I think this would be a valuable addition to release artifact attestations. I've no specific use case for it, other than that I think it's helpful to be able to trace from source to built artifact and vice-versa.

[woodruffw]

Sorry, I might have caused some confusion here! What I meant was that the existing attestations already have the git SHA1 commit in their extensions, by virtue of the workflow identity. So you shouldn't need any workflow/action changes 🙂

I'm on mobile at the moment, but I'll try and pull up an example of this from your extant attestations to demonstrate what I mean.

[woodruffw]

Here's an example, using the transparency log entry @AA-Turner shared earlier: https://search.sigstore.dev/?logIndex=137921341

In particular, the GitHub Workflow SHA and Build Signer Digest already contain the SHA1 ref for the commit that the workflow was run against.

[jayaddison]

Ahh, OK - that's even better, thanks again.

So my confusion was entirely down to the fact that the pypi_attestations inspect step didn't include the Build Signer Digest info in the output. That seems reasonable (and/or maybe a small feature request I should file).

[woodruffw]

That seems reasonable (and/or maybe a small feature request I should file).

Yeah, please file a request! We can certainly add that (although note that the inspect output is intended only for visual inspection, anything that actually wants to process that digest should use the sigstore-python policy APIs) 🙂

[jayaddison]

@woodruffw I think I've overcommitted on a bunch of threads/projects - so just a note that I'm going to let that task -- filing a feature request to log the commit/ref details during pypi_attestations inspect -- fall by the wayside.

Perhaps it should be a small thing to describe, but I'd want to make an effort to understand the details before doing writing the request; and at the moment I don't have the energy or focus for that. Perhaps I'll get to it another time, but it could be a while. Thanks for responding to my questions and usage concerns here.