search

trailofbits / pypi-attestations

A library to convert between Sigstore Bundles and PEP 740 Attestation objects
https://trailofbits.github.io/pypi-attestations
Apache License 2.0
1 stars 1 forks source link

Small CLI driver #21

Closed woodruffw closed 3 months ago

woodruffw commented 3 months ago

As part of testing this package, it'd be nice to have a small CLI driver for our APIs.

In particular, something like:

$ # produces foo.whl.publish.attestation using the ambient OIDC credential
$ python -m pypi_attestation_models sign foo.whl

$ # dumps the attestation's inner statement + other metadata *without* verification
$ python -m pypi_attestation_models inspect foo.whl.publish.attestation

$ # verifies foo.whl against foo.whl.*.attestation, with `https://github.com/foo/bar` as the signing identity
$ python -m pypi_attestation_models verify foo.whl --identity https://github.com/foo/bar
OK: foo.whl.publish.attestation
OK: foo.whl.whatever.attestation
woodruffw commented 3 months ago

CC @DarkaMaul

woodruffw commented 3 months ago

(In particular, I think we should do this with python -m ... rather than a direct entry point, to keep this off the $PATH for now. So this should initiate via a __main__.py entrypoint, like sigstore-python: https://github.com/sigstore/sigstore-python/blob/main/sigstore/__main__.py)