ch0k1 on Nostr: Attestations: A new generation of signatures on PyPI ...
Attestations: A new generation of signatures on PyPI
https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740.
These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring us one step closer to holistic, cryptographically verifiable provenance for our software supply chains.
originally posted at https://stacker.news/items/768413
https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740.
These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring us one step closer to holistic, cryptographically verifiable provenance for our software supply chains.
originally posted at https://stacker.news/items/768413