Add release atteststions #343

orf · 2024-10-08T02:09:06Z

Hello!

First, thanks for this fantastic project - it’s a great help to the community and ecosystem at large.

I would like to suggest adding artifact attestations to the releases.

This would enable supply chain verification for these builds, and provide a layer of validation above just verifying the signature.

it’s pretty simple to add: just a single step, with no configuration or changes required in the binary itself.

what do you think?

zanieb · 2024-10-08T04:25:06Z

Yeah these seem reasonable, were you interested in contributing this?

orf · 2024-10-08T04:40:01Z

Absolutely! I’m currently travelling and away from my laptop so it will have to be next week, but I can take a look at it when I’m back.

chludwig-haufe · 2024-12-16T08:29:13Z

I see there is an open PR #371, but no further activity. Is there anything blocking the creation of the attestations?

Since I didn't see this mentioned in the documentation: How is the integrity of the Python sources and dependencies used in the build verified?

indygreg · 2024-12-16T15:46:47Z

We pin and verify the sha256 and file size of all downloaded assets. See downloads.py.

zanieb · 2024-12-16T15:57:53Z

@chludwig-haufe there's a blocking comment at #371 (comment)

orf · 2024-12-16T20:25:51Z

@chludwig-haufe there's a blocking comment at #371 (comment)

Yep! I have this PR in my backlog, but some personal stuff has come up.

We should indeed only attest on main (or anything that actually publishes), adding the relevant if: blocks should be all that is needed.

orf added a commit to orf/python-build-standalone that referenced this issue Oct 16, 2024

Add build attestations. Closes indygreg#343

639bf61

orf linked a pull request Oct 16, 2024 that will close this issue

Add build attestations. Closes #343 #371

Open

charliermarsh added the enhancement New feature or request label Dec 18, 2024

Provide feedback