webknjaz
commented
1 month ago @woodruffw does a PoC of the attestation verification exist anywhere?
Open webknjaz opened 7 months ago
webknjaz
commented
1 month ago @woodruffw does a PoC of the attestation verification exist anywhere?
woodruffw
commented
1 month ago @woodruffw does a PoC of the attestation verification exist anywhere?
Yes! We have a PoC using the pip plugin architecture that we're currently workshopping in https://github.com/pypa/pip/pull/12985. The PoC is currently in its own private repo, but I'll make it public tomorrow (there's nothing private about it, we were just keeping it unlisted while we experiment with it).
Separate from that, the pypi_attestations docs have some examples of verifying attestations, but those still need to be fleshed out some more with a full example of pulling down a provenance response, extracting the attestations, and verifying them.
The upstream is moving forward now — https://github.com/pypi/warehouse/issues/15871 — so should pip-tools. I don't yet know what it'll look like here but we need to watch for the opportunities to integrate a preliminary support for such security-related features.