GeistHaus
log in · sign up

Attestations: A new generation of signatures on PyPI

blog.trailofbits.com

For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring […]

1 page links to this URL
Radar #4: Week of 11/18/2024
Low Orbit Security Graham Helton

PyPI now supports digital attestations PyPI, the repository searched by the pip command for packages, announced it now supports digital attestations – a method for cryptographically verifying a Python package to the repository it came from. This is generally a step in the right direction, but there have been discussions about

0 inbound links article en radar