Expand description
PyPI Attestation API client (PEP 740).
Fetches Sigstore-based provenance attestations from PyPI’s Integrity API
to enrich DependencySignatureEvidence with publisher identity, source
repository, and transparency log information.
Two-phase approach:
- Simple API (
/simple/{project}/) → find provenance URL for the version’s sdist - Integrity API (provenance URL) → fetch attestation with publisher + Rekor entry
API docs: https://docs.pypi.org/api/integrity/
Structs§
- Pypi
Attestation Client - Pypi
Provenance - Provenance data extracted from a PyPI attestation.