All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- The CLI entrypoint is now
pypi-attestations
(#82) - The CLI
verify
subcommand has been changed toverify attestation
, as inpypi-attestations verify attestation --identity ...
(#82)
- The CLI has a new subcommand
verify pypi
, which takes a URL to a PyPI distribution (either a wheel or a source distribution) and a GitHub/GitLab repository. The command verifies the distribution by downloading it and its provenance from PyPI, verifying them usingsigstore
and checking that the repository matches the one in the PyPI provenance file. (#82)
- Explicitly support sigstore-python 3.6 (#79)
This is a corrective release for 0.0.18.
- The
Attestation
type now has acertificate_claims
property to expose underlying Fulcio signing certificate extensions (#70)
- The
GitLabPublisher
policy now takes the workflow file path in order to verify attestations, rathen than assuming it will always begitlab-ci.yml
(#71). - The
GitLabPublisher
now longer expects claims being passed during construction, rather theref
andsha
claims are extracted from the certificate's extensions, similar toGitHubPublisher
's behavior (#71).
- Publisher classes (
GitLabPublisher
andGitHubPublisher
) no longer take a claims dictionary during construction (#72).
Attestation.statement
has been added as a convenience API for accessing the attestation's enveloped statement as a dictionary
This is a corrective release for 0.0.14.
- The
Distribution
API now handles ZIP source distributions (those ending with.zip
) instead of rejecting them as invalid (#68)
-
The minimum Python version required has been brought back to
3.9
(#64). -
The
Attestation.verify(...)
API has been changed to remove theVerifier
argument in favor of an optionalstaging: bool
kwarg to select the Sigstore instance (#62) -
The
Attestation.verify(...)
API has been changed to accept bothPublisher
andVerificationPolicy
objects as a policy. The publisher object is internally converted to an appropriate verification policy.
-
python -m pypi_attestations verify
now handles inputs likedist/*
gracefully, by pre-filtering any attestation paths from the inputs. -
python -m pypi_attestations verify
now exits with a non-zero exit code if the verification step fails (#57)
- Base64-encoded bytes inside Attestation objects contained newline characters every 76 characters due to a bug in Pydantic's Base64Bytes type. Those newlines were also (incorrectly) ignored by Pydantic during decoding (#48).
- The minimum version of sigstore-python is now
3.2.0
, owing to private API changes (#45)
- The minimum Python version required has been bumped to
3.11
(#37)
- The
Provenance
,Publisher
,GitHubPublisher
,GitLabPublisher
, andAttestationBundle
types have been added (#36).
- The
Distribution
type and APIs have been added, allowing a user to supply a pre-computed digest instead of performing I/O (#34)
sign
andverify
no longer perform I/O (#34)
verify
: catch another leaky error case (#32)
AttestationType
is now re-exported at the top-level as a public API (#31)
AttestationType
has been added, as an enumeration of all currently known attestation types (by URL) (#29)
Attestation.verify
now checks the attestation's type againstAttestationType
before returning it (#29)
Attestation.sign
now only returnsAttestationError
when failing to sign a distribution file (#28)
- The
python -m pypi_attestations
CLI has been added. This CLI is primarily intended for local development, and not for external use. Its flags and commands are not subject to stabilization unless explicitly documented in a future release (#22)
-
The name of this project is now
pypi-attestations
, renamed frompypi-attestion-models
(#25) -
The model conversion functions have been moved into the
Attestation
class (#24)
0.0.5 - 2024-06-20
Attestation.verify
now returns the inner statement's predicate components (#20)
0.0.4 - 2024-06-11
- Switch to in-toto statements (#18)
0.0.3 - 2024-06-10
- No functional changes.
0.0.2 - 2024-05-16
- Update
sigstore
to 3.0.0
0.0.1 - 2024-05-15
- Initial implementation