Skip to content

Support attestations from Google Cloud publishers #18004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tracked by #17001
di opened this issue Apr 22, 2025 · 2 comments · Fixed by #18013
Closed
Tracked by #17001

Support attestations from Google Cloud publishers #18004

di opened this issue Apr 22, 2025 · 2 comments · Fixed by #18013
Labels
feature request requires triaging maintainers need to do initial inspection of issue

Comments

@di
Copy link
Member

di commented Apr 22, 2025
edited
Loading

Attestations are not currently supported with Google Cloud publishers.

Sub-issue of #17001.

Full end-to-end workflow:

$ cat setup.py
from setuptools import setup

setup(
    name="gcb-attestation-test",
    version="0.0.0",
)

$ python -m build --sdist
* Creating isolated environment: venv+pip...
* Installing packages in isolated environment:
  - setuptools >= 40.8.0
* Getting build dependencies for sdist...
running egg_info
creating src/gcb_attestation_test.egg-info
writing src/gcb_attestation_test.egg-info/PKG-INFO
writing dependency_links to src/gcb_attestation_test.egg-info/dependency_links.txt
writing top-level names to src/gcb_attestation_test.egg-info/top_level.txt
writing manifest file 'src/gcb_attestation_test.egg-info/SOURCES.txt'
reading manifest file 'src/gcb_attestation_test.egg-info/SOURCES.txt'
writing manifest file 'src/gcb_attestation_test.egg-info/SOURCES.txt'
* Building sdist...
running sdist
running egg_info
writing src/gcb_attestation_test.egg-info/PKG-INFO
writing dependency_links to src/gcb_attestation_test.egg-info/dependency_links.txt
writing top-level names to src/gcb_attestation_test.egg-info/top_level.txt
reading manifest file 'src/gcb_attestation_test.egg-info/SOURCES.txt'
writing manifest file 'src/gcb_attestation_test.egg-info/SOURCES.txt'
warning: sdist: standard file not found: should have one of README, README.rst, README.txt, README.md

running check
creating gcb_attestation_test-0.0.0
creating gcb_attestation_test-0.0.0/src
creating gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
copying files to gcb_attestation_test-0.0.0...
copying setup.py -> gcb_attestation_test-0.0.0
copying src/__init__.py -> gcb_attestation_test-0.0.0/src
copying src/gcb_attestation_test.egg-info/PKG-INFO -> gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
copying src/gcb_attestation_test.egg-info/SOURCES.txt -> gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
copying src/gcb_attestation_test.egg-info/dependency_links.txt -> gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
copying src/gcb_attestation_test.egg-info/top_level.txt -> gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
copying src/gcb_attestation_test.egg-info/SOURCES.txt -> gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
Writing gcb_attestation_test-0.0.0/setup.cfg
Creating tar archive
removing 'gcb_attestation_test-0.0.0' (and everything under it)
Successfully built gcb_attestation_test-0.0.0.tar.gz

$ python -m pypi_attestations sign dist/gcb_attestation_test-0.0.0.tar.gz

$ python -m pypi_attestations inspect dist/gcb_attestation_test-0.0.0.tar.gz.publish.attestation
Warning: The information displayed below are not verified, they are only displayed. Use the verify command to verify them.
File: dist/gcb_attestation_test-0.0.0.tar.gz.publish.attestation
Version: 1
Statement:
	Type: https://in-toto.io/Statement/v1
	Subject:
		gcb_attestation_test-0.0.0.tar.gz (digest: 461317362419124b6012e855423a9078d6de8aed3e74fa78cc74d669b23dc6cf)
	Predicate type: https://docs.pypi.org/attestations/publish/v1
	Predicate: None
Certificate:
	Subjects (suitable for `--identity`): ['[email protected]']
	Issuer: CN=sigstore-intermediate,O=sigstore.dev
	Validity: 2025-04-21 15:12:27+00:00
Transparency Log (1 entries):
	Log Index: 200170367

$ python -m pypi_attestations verify attestation --identity [email protected] dist/gcb_attestation_test-0.0.0.tar.gz
OK: dist/gcb_attestation_test-0.0.0.tar.gz.publish.attestation

$ twine upload --attestations dist/*
Uploading distributions to https://upload.pypi.org/legacy/
Uploading gcb_attestation_test-0.0.0.tar.gz
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7.9/7.9 kB • 00:00 • ?
WARNING  Error during upload. Retry with the --verbose option for more details.
ERROR    HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/
         Invalid attestations supplied during upload: Attestations are not currently supported with Google publishers
@di di added feature request requires triaging maintainers need to do initial inspection of issue labels Apr 22, 2025
@di di mentioned this issue Nov 20, 2024
Open
14 tasks
@woodruffw
Copy link
Member

Tracking: trailofbits/pypi-attestations#114 adds support for Google Cloud publishers in the underlying layer, so this should be unblocked within Warehouse itself 🙂

@di
Copy link
Member Author

di commented Apr 23, 2025

Blocked on trailofbits/pypi-attestations#117.

@di di mentioned this issue Apr 23, 2025
Merged
@di di closed this as completed in #18013 Apr 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request requires triaging maintainers need to do initial inspection of issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support attestations from Google Cloud publishers di/warehouse
2 participants
@di @woodruffw