sphinx/utils/convert_attestations.py

"""Convert Sigstore attestations to PEP 740.

See https://github.com/trailofbits/pypi-attestations.
"""

# resolution fails without betterproto and protobuf-specs
# /// script
# requires-python = ">=3.11"
# dependencies = [
#     "pypi-attestations~=0.0.12",
#     "sigstore-protobuf-specs==0.3.2",
#     "betterproto==2.0.0b6",
# ]
# ///

from __future__ import annotations

import json
import sys
from base64 import b64decode
from pathlib import Path

from pypi_attestations import Attestation, Distribution
from sigstore.models import Bundle
from sigstore.verify import Verifier
from sigstore.verify.policy import Identity

DIST = Path('dist')
bundle_path = Path(sys.argv[1])
signer_identity = sys.argv[2]

for line in bundle_path.read_bytes().splitlines():
    dsse_envelope_payload = json.loads(line)['dsseEnvelope']['payload']
    subjects = json.loads(b64decode(dsse_envelope_payload))['subject']
    for subject in subjects:
        filename = subject['name']
        assert (DIST / filename).is_file()

        # Convert attestation from Sigstore to PEP 740
        print(f'Converting attestation for {filename}')
        sigstore_bundle = Bundle.from_json(line)
        attestation = Attestation.from_bundle(sigstore_bundle)
        attestation_path = DIST / f'{filename}.publish.attestation'
        attestation_path.write_text(attestation.model_dump_json())
        print(f'Attestation for {filename} written to {attestation_path}')
        print()

        # Validate attestation
        dist = Distribution.from_file(DIST / filename)
        attestation = Attestation.model_validate_json(attestation_path.read_bytes())
        verifier = Verifier.production()
        policy = Identity(identity=signer_identity)
        attestation.verify(verifier, policy, dist)
        print(f'Verified {attestation_path}')
Generate PEP 740 attestations for PyPI (#12981) 2024-10-07 23:18:15 -05:00			`"""Convert Sigstore attestations to PEP 740.`

			`See https://github.com/trailofbits/pypi-attestations.`
			`"""`

Use script metadata in utils/convert_attestations.py 2025-01-04 00:20:36 -06:00			`# resolution fails without betterproto and protobuf-specs`
			`# /// script`
			`# requires-python = ">=3.11"`
			`# dependencies = [`
			`# "pypi-attestations~=0.0.12",`
			`# "sigstore-protobuf-specs==0.3.2",`
			`# "betterproto==2.0.0b6",`
			`# ]`
			`# ///`

Require the PEP 563 'annotations' future import 2024-11-22 15:54:26 -06:00			`from __future__ import annotations`

Generate PEP 740 attestations for PyPI (#12981) 2024-10-07 23:18:15 -05:00			`import json`
			`import sys`
			`from base64 import b64decode`
			`from pathlib import Path`

			`from pypi_attestations import Attestation, Distribution`
			`from sigstore.models import Bundle`
			`from sigstore.verify import Verifier`
			`from sigstore.verify.policy import Identity`

			`DIST = Path('dist')`
			`bundle_path = Path(sys.argv[1])`
			`signer_identity = sys.argv[2]`

			`for line in bundle_path.read_bytes().splitlines():`
			`dsse_envelope_payload = json.loads(line)['dsseEnvelope']['payload']`
			`subjects = json.loads(b64decode(dsse_envelope_payload))['subject']`
			`for subject in subjects:`
			`filename = subject['name']`
			`assert (DIST / filename).is_file()`

			`# Convert attestation from Sigstore to PEP 740`
			`print(f'Converting attestation for {filename}')`
			`sigstore_bundle = Bundle.from_json(line)`
			`attestation = Attestation.from_bundle(sigstore_bundle)`
			`attestation_path = DIST / f'{filename}.publish.attestation'`
			`attestation_path.write_text(attestation.model_dump_json())`
			`print(f'Attestation for {filename} written to {attestation_path}')`
			`print()`

			`# Validate attestation`
			`dist = Distribution.from_file(DIST / filename)`
			`attestation = Attestation.model_validate_json(attestation_path.read_bytes())`
			`verifier = Verifier.production()`
			`policy = Identity(identity=signer_identity)`
			`attestation.verify(verifier, policy, dist)`
			`print(f'Verified {attestation_path}')`