一个在Sigstore Bundles和PEP-740 Attestation对象之间进行转换的库
项目描述
pypi-attestations
一个生成和转换Sigstore Bundles与PEP 740 Attestation对象的库。
安装
python -m pip install pypi-attestations
作为命令行工具使用
python -m pypi_attestations --help
usage: pypi-attestation [-h] [-v] [-V] COMMAND ...
Sign, inspect or verify PEP 740 attestations
positional arguments:
COMMAND The operation to perform
sign Sign one or more inputs
verify Verify one or more inputs
inspect Inspect one or more inputs
options:
-h, --help show this help message and exit
-v, --verbose run with additional debug logging; supply multiple times to
increase verbosity (default: 0)
-V, --version show program's version number and exit
签名包
# Generate a whl file
make package
python -m pypi_attestations sign dist/pypi_attestations-*.whl
注意:这将打开一个浏览器窗口以通过Sigstore OAuth流程进行认证。
检查PEP 740 Attestation
python -m pypi_attestations inspect dist/pypi_attestations-*.whl.publish.attestation
警告:检查并不意味着验证。它只打印出验证的结构。
验证PEP 740 Attestation
python -m pypi_attestations verify --staging \
--identity william@yossarian.net \
test/assets/rfc8785-0.1.2-py3-none-any.whl
测试中存在的验证是通过Sigstore的预发布环境生成的,并由William签名的。
作为库使用
请参阅完整的API文档此处。
签名和验证
使用这些API通过签名Python工件(例如:sdist或wheel文件)创建符合PEP 740的Attestation对象,以及验证Attestation对象与Python工件。
from pathlib import Path
from pypi_attestations import Attestation
from sigstore.oidc import Issuer
from sigstore.sign import SigningContext
from sigstore.verify import Verifier, policy
artifact_path = Path("test_package-0.0.1-py3-none-any.whl")
# Sign a Python artifact
issuer = Issuer.production()
identity_token = issuer.identity_token()
signing_ctx = SigningContext.production()
with signing_ctx.signer(identity_token, cache=True) as signer:
attestation = Attestation.sign(signer, artifact_path)
print(attestation.model_dump_json())
# Verify an attestation against a Python artifact
attestation_path = Path("test_package-0.0.1-py3-none-any.whl.attestation")
attestation = Attestation.model_validate_json(attestation_path.read_bytes())
verifier = Verifier.production()
policy = policy.Identity(identity="example@gmail.com", issuer="https://#")
attestation.verify(verifier, policy, attestation_path)
低级模型转换
这些转换假定作为输入使用的任何Sigstore Bundle都是通过签名分发文件创建的。
from pathlib import Path
from pypi_attestations import Attestation
from sigstore.models import Bundle
# Sigstore Bundle -> PEP 740 Attestation object
bundle_path = Path("test_package-0.0.1-py3-none-any.whl.sigstore")
with bundle_path.open("rb") as f:
sigstore_bundle = Bundle.from_json(f.read())
attestation_object = Attestation.from_bundle(sigstore_bundle)
print(attestation_object.model_dump_json())
# PEP 740 Attestation object -> Sigstore Bundle
attestation_path = Path("attestation.json")
with attestation_path.open("rb") as f:
attestation = Attestation.model_validate_json(f.read())
bundle = attestation.to_bundle()
print(bundle.to_json())
关闭
pypi_attestations-0.0.12.tar.gz的散列值
| 算法 | 散列摘要 | |
|---|---|---|
| SHA256 | b1b2d5e700def138a214869f65835ff20e5f2e524acca841d5280ea89c2d2c46 |
|
| MD5 | 0b13a7882cf4c68a0278d89b1f259169 |
|
| BLAKE2b-256 | 0c39e621595f710b912e5cf03a48a249a9dae20543b600708d0d915b11ba2ba6 |
关闭
pypi_attestations-0.0.12-py3-none-any.whl的散列值
| 算法 | 散列摘要 | |
|---|---|---|
| SHA256 | d4a901121993ff8693ef9fd99e83f506ce79b5f799c36fcf8ddcdb38f4f8960b |
|
| MD5 | 4f90682bb4b919616ece9bc4022f0a49 |
|
| BLAKE2b-256 | f1acc7bc80713dee99f8d858598126c31b8cf7a5b432ac019ac07a488b59aa77 |