Introducing PyPI digital attestation support

Eve Martin-Jones, Google Open Source Security Team

Digital attestations can be critical for preventing, detecting and analyzing security incidents. During the recent Ultralytics supply-chain attack responders were able to audit malicious activity during and after the incident because the compromised PyPI Ultralytics project was using Trusted Publishing and digital attestations.

We are excited to announce that deps.dev now serves PyPI digital attestations (alongside our existing support for npm digital attestations). You can view digital attestations for PyPI packages on deps.dev - for example, deps.dev/pypi/sigstore.

A screenshot of the Attestations panel for the PyPI sigstore package at version 3.6.0 showing a PyPI Publish attestation
A screenshot of the Attestations panel for the PyPI sigstore package at version 3.6.0 showing a PyPI Publish attestation

PyPI recently announced support for maintainers to publish two types of signed digital attestations when publishing new package versions: PyPI Publish and SLSA Provenance attestations.

PyPI Publish attestations provide a minimal “implicit” digital attestation for packages via Trusted Publishing. Consumers can use the attestation to verify the integrity of a release published to PyPI, in particular:

  • That the release was uploaded via a Trusted Publisher
  • Which Trusted Publisher identity was used to publish the release (for example, a GitHub Actions workflow or a GitLab identity)

SLSA provenance is metadata about how a package was built and strongly links an open source package to the build system and source code used to create it. It is part of the SLSA framework for improving supply chain security. In a SLSA provenance attestation you can find:

  • The repository and commit at which the artifact was built
  • Details about the workflow used to create the artifact
  • How the artifact was built
  • The date the attestation was integrated into the Rekor transparency log

PyPI has taken a big step toward securing the open source supply chain and it’s great to see this work paying off during security incidents like Ultralytics. For more information about digital attestations in PyPI see PEP 740. For an overview of digital attestation adoption across the PyPI ecosystem see Trail of Bits’ Are we PEP 740 yet? dashboard.

If you have any questions, feedback or feature requests, you can reach us at depsdev@google.com, or by filing an issue on our GitHub repo.

All blog posts