Skip to content

Add pypi-attestations verify pypi CLI subcommand #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jan 10, 2025
Merged

Add pypi-attestations verify pypi CLI subcommand #82

merged 5 commits into from
Jan 10, 2025

Conversation

facutuesca
Copy link
Collaborator

@facutuesca facutuesca commented Jan 10, 2025
edited
Loading

The verify CLI subcommand is now split into two:

  • verify attestation, which behaves as the previous verify command (verifies an artifact and its corresponding PEP740 attestation)
  • verify pypi, which takes the URL of a distribution hosted on PyPI and a signing identity and verifies them.

Examples:

$ pypi-attestations verify pypi https://files.pythonhosted.org/packages/f0/d5/1341f23a51e45b7780ed6e0b1df3efc9ec4350a528b3f15ec83146edd6ab/abi3info-2025.1.9-py3-none-any.whl --repository https://gitlab.com/woodruffw/abi3info
Verification failed: provenance was signed by a github.com repository, but expected a gitlab.com repository

$ pypi-attestations verify pypi https://files.pythonhosted.org/packages/f0/d5/1341f23a51e45b7780ed6e0b1df3efc9ec4350a528b3f15ec83146edd6ab/abi3info-2025.1.9-py3-none-any.whl --repository https://github.com/evil/abi3info
Verification failed: provenance was signed by repository "woodruffw/abi3info", expected "evil/abi3info"

$ pypi-attestations verify pypi https://files.pythonhosted.org/packages/f0/d5/1341f23a51e45b7780ed6e0b1df3efc9ec4350a528b3f15ec83146edd6ab/abi3info-2025.1.9-py3-none-any.whl --repository https://github.com/woodruffw/abi3info
OK: abi3info-2025.1.9-py3-none-any.whl

See sigstore/sigstore-python#1271 for context

@facutuesca facutuesca force-pushed the ft/cli-verify-pypi branch 7 times, most recently from 5b901e5 to 7781d09 Compare January 10, 2025 17:00
@facutuesca
Check coverage of CLI implementation
e002a28 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca
Add pypi-attestations CLI entrypoint
9aef7a3 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca
Update ruff and remove deprecated lint rules
39d1133 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca
Add CLI command to verify PyPI distributions
cb55411 
The `verify` CLI command is now split into two:
- `verify attestation`, which behaves as the previous `verify` command
- `verify pypi`, which takes the URL of a distribution hosted on PyPI
   and a signing identity and verifies them.

Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca
Add tests for missing coverage
f88b169 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca facutuesca marked this pull request as ready for review January 10, 2025 17:07
@facutuesca facutuesca requested a review from woodruffw January 10, 2025 17:07
@facutuesca facutuesca mentioned this pull request Jan 10, 2025
Closed
@woodruffw
Copy link
Member

Nice, thanks @facutuesca! I'll do a review pass today.

@woodruffw
Copy link
Member

(As a follow-on, let's look at updating the PyPI docs as well to point users to these commands in an "internals" or "experts" section.)

woodruffw
woodruffw approved these changes Jan 10, 2025
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @facutuesca!

@woodruffw woodruffw merged commit 322dde1 into main Jan 10, 2025
7 checks passed
@woodruffw woodruffw deleted the ft/cli-verify-pypi branch January 10, 2025 18:35
@woodruffw woodruffw mentioned this pull request Jan 10, 2025
Closed
@facutuesca facutuesca mentioned this pull request Jan 11, 2025
Merged
@facutuesca
Copy link
Collaborator Author

(As a follow-on, let's look at updating the PyPI docs as well to point users to these commands in an "internals" or "experts" section.)

done here: pypi/warehouse#17391

This was referenced Jan 13, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@facutuesca @woodruffw