Source URL: https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/
Source: Hacker News
Title: PyPI now supports digital attestations
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: PyPI has introduced support for digital attestations, enhancing supply-chain security for Python package maintainers. This update, part of PEP 740, allows maintainers to publish signed attestations associated with their projects, ensuring higher trust and traceability in package management.
Detailed Description: The introduction of digital attestations in PyPI signifies a significant advancement in supply-chain security within the Python ecosystem. Here are the main points of interest from this development:
– **Digital Attestations**: Maintainers can now publish signed digital attestations alongside their packages. Over 20,000 attestations have already been published, demonstrating widespread adoption.
– **PEP 740**: This feature finalizes support for PEP 740, which moves away from PGP signatures towards a more robust system that utilizes identity-based signing through Open ID Connect (OIDC).
– **Advantages over PGP Signatures**:
– **Identity-Based Signing**: Attestations are linked to identities rather than a public/private key pair. This mitigates risks associated with key loss or compromise, a common failure point in traditional PGP signing.
– **Verifiable Source Repository Links**: Attestations create a verifiable link between the published package and its upstream source repository. This includes integrating with tools like GitHub Actions, providing a clear trace back to the source workflow and commit hash.
– **Mandatory Verification on Upload**: Only attestations with verifiable signatures can be uploaded, ensuring reliability and usefulness for users.
– **New Verification Mechanisms**:
– **Integrity API**: This API allows programmatic access for verifying the digital attestations related to individual files on PyPI.
– **Web UI**: A new feature in the PyPI web interface displays detailed information about files, including associated attestations.
– **Automatic vs. Manual Attestation Generation**: Projects utilizing GitHub Actions, Trusted Publishing, and specific publish actions can automatically generate attestations, making it easy for maintainers to adopt this new feature. Manual attestation is also possible, though not recommended.
– **Acknowledgements**: This initiative received support from organizations like the Sovereign Tech Agency and the Google Open Source Security Team, highlighting a collaborative effort toward improving security within the ecosystem.
Overall, the addition of digital attestations to PyPI is a critical enhancement for security and compliance professionals working within software supply chains, fostering greater trust and accountability in package management processes.