-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for uploading attestations in legacy API #15952
Conversation
af6432f
to
784f446
Compare
784f446
to
e0b9a33
Compare
9afeac1
to
7214138
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall, nice work @facutuesca!
Note for other reviewers: this PR intentionally discards the attestations after verifying them, both for an initial testing period and to keep the changeset small. We'll follow up with another PR to persist the attestations 🙂
45819f3
to
50a69a9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @facutuesca!
(Needs another dependency deconflict.)
b4ba06f
to
6d8a0ab
Compare
f01e393
to
9345a6f
Compare
58f9c34
to
dd1b1bc
Compare
dd1b1bc
to
dc943b5
Compare
Signed-off-by: William Woodruff <william@trailofbits.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nitpicks that I'll address today!
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description
Add support for uploading PEP 740 attestations along with distribution files. Part of #15871.
For now only GHA-signed attestations are supported, but the implementation allows easily adding other publishers by implementing the
OIDCPublisherMixin.publisher_verification_policy()
method in the corresponding subclass.Implementation
The core logic is in
legacy.py
: we check an upload request to see if it includes any attestations. If it does, we:pypi-attestations
.sigstore
with the above verification policy, against the uploaded distribution file.For now we only verify the attestations. Storing them will be implemented in a later PR.
The GHA verification policy (from step 3) is defined in
GitHubPublisherMixin.publisher_verification_policy()
, and it checks the certificate in the attestation against the following claims:https://github.com/org/repo/.github/workflows/workflow.yml@....
)See here for the definition of each claim.
cc @woodruffw @di