(blog.pypi.org)

218 points miketheman | 1 comments | 14 Nov 24 14:25 UTC | HN request time: 0.234s | source

Show context

cpburns2009 ◴[14 Nov 24 15:40 UTC] No.42137278[source]▶

>>42136375 (OP) #

Great, now how do you use attestations with Twine when publishing packages on PyPI outside of the Github ecosystem?

replies(2): >>42138625 #>>42140707 #

guappa ◴[14 Nov 24 20:16 UTC] No.42140707[source]▶

>>42137278 #

You don't. The whole point is that you can no longer sign anything. Microsoft signs for you.

And of course the signature means "this user can push to github" and nothing more.

replies(1): >>42142395 #

remram ◴[14 Nov 24 23:27 UTC] No.42142395[source]▶

>>42140707 #

Hopefully the attestation is bound to a specific commit, so you can know the binaries came from the source?

Otherwise I don't get it.

replies(2): >>42144587 #>>42147256 #

1. woodruffw ◴[15 Nov 24 14:28 UTC] No.42147256[source]▶

>>42142395 #

Yes, it’s bound to a specific commit; we just don’t present that in the web UI yet. If you click on the transparency log entry, you’ll see the exact commit the attestation came from.

↑

PyPI now supports digital attestations