Skip to content

v0.0.21

Latest
Latest
Compare
Choose a tag to compare
@facutuesca facutuesca released this 10 Jan 19:16
· 2 commits to main since this release
v0.0.21
41584d9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Changed

  • The CLI entrypoint is now pypi-attestations
    (#82)
  • The CLI verify subcommand has been changed to verify attestation,
    as in pypi-attestations verify attestation --identity ...
    (#82)

Added

  • The CLI has a new subcommand verify pypi, which takes a URL to a
    PyPI distribution (either a wheel or a source distribution) and a
    GitHub/GitLab repository. The command verifies the distribution by
    downloading it and its provenance from PyPI, verifying them using
    sigstore and checking that the repository matches the one in the
    PyPI provenance file.
    (#82)
Assets 2
Loading