(blog.pypi.org)

218 points miketheman | 5 comments | 14 Nov 24 14:25 UTC | HN request time: 0s | source

Show context

cpburns2009 ◴[14 Nov 24 15:40 UTC] No.42137278[source]▶

>>42136375 (OP) #

Great, now how do you use attestations with Twine when publishing packages on PyPI outside of the Github ecosystem?

replies(2): >>42138625 #>>42140707 #

guappa ◴[14 Nov 24 20:16 UTC] No.42140707[source]▶

>>42137278 #

You don't. The whole point is that you can no longer sign anything. Microsoft signs for you.

And of course the signature means "this user can push to github" and nothing more.

replies(1): >>42142395 #

1. remram ◴[14 Nov 24 23:27 UTC] No.42142395[source]▶

>>42140707 #

Hopefully the attestation is bound to a specific commit, so you can know the binaries came from the source?

Otherwise I don't get it.

replies(2): >>42144587 #>>42147256 #

2. guappa ◴[15 Nov 24 07:14 UTC] No.42144587[source]▶

>>42142395 (TP) #

It doesn't seem to be from what I can see. Only states that the upload came from a gh runner.

replies(1): >>42147267 #

3. woodruffw ◴[15 Nov 24 14:28 UTC] No.42147256[source]▶

>>42142395 (TP) #

Yes, it’s bound to a specific commit; we just don’t present that in the web UI yet. If you click on the transparency log entry, you’ll see the exact commit the attestation came from.

4. woodruffw ◴[15 Nov 24 14:30 UTC] No.42147267[source]▶

>>42144587 #

See adjacent comment above.

replies(1): >>42183201 #

5. guappa ◴[19 Nov 24 13:30 UTC] No.42183201{3}[source]▶

>>42147267 #

Ok that's at least something.

But my CI can download and run code from everywhere, so that doesn't mean that I can know what is being uploaded just looking at the git repository alone.

↑

PyPI now supports digital attestations