Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/yossarian/statuses/113481718197642220">yossarian (1.3.6.1.4.1.55738) (yossarian@infosec.exchange)'s status on Friday, 15-Nov-2024 01:27:21 JST</a><a href="https://infosec.exchange/@yossarian" title="yossarian@infosec.exchange"><img src="https://gnusocial.jp/avatar/209904-48-20241114162721.webp" width="48" height="48" alt="yossarian (1.3.6.1.4.1.55738)" style="position: absolute; left: 0; top: 0;">yossarian (1.3.6.1.4.1.55738)</a><div><ul><li></ul></div></section><article><p>i'm really excited to share the work my team at <a href="https://infosec.exchange/@trailofbits">@trailofbits</a> has been doing for the last year: Sigstore-based attestations are now live and generally available on PyPI!</p><p>if you're already using Trusted Publishing with the canonical pypi-publish action, you don't need to change anything: the action will generate and upload an attestation on your behalf.</p><p>we've written a blog post on some of the technical details behind PyPI's attestation features, including Sigstore and PEP 740, here: <a href="https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/" rel="nofollow noreferrer">https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/</a></p><p><a href="https://infosec.exchange/tags/python" rel="tag">#python</a> <a href="https://infosec.exchange/tags/pypi" rel="tag">#pypi</a> <a href="https://infosec.exchange/tags/security" rel="tag">#security</a> <a href="https://infosec.exchange/tags/sigstore" rel="tag">#sigstore</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3999913#notice-7814634">In conversation</a><time datetime="2024-11-15T01:27:21+09:00" title="Friday, 15-Nov-2024 01:27:21 JST">about 10 days ago</time> <span>from <span><a href="https://infosec.exchange/@yossarian/113481718197642220" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@yossarian/113481718197642220">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: blog.trailofbits.com</div><h5><a href="https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/#python">Attestations: A new generation of signatures on PyPI</a></h5><div> from <span>William Woodruff</span></div></header><div>Read the official announcement on the PyPI blog as well! For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digita…</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
yossarian (1.3.6.1.4.1.55738) (yossarian@infosec.exchange)'s status on Friday, 15-Nov-2024 01:27:21 JSTyossarian (1.3.6.1.4.1.55738)
- Trail of Bits
i'm really excited to share the work my team at @trailofbits has been doing for the last year: Sigstore-based attestations are now live and generally available on PyPI!
if you're already using Trusted Publishing with the canonical pypi-publish action, you don't need to change anything: the action will generate and upload an attestation on your behalf.
we've written a blog post on some of the technical details behind PyPI's attestation features, including Sigstore and PEP 740, here: https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
#python #pypi #security #sigstore
In conversationabout 10 days ago from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: blog.trailofbits.com
  Attestations: A new generation of signatures on PyPI
  from William Woodruff
  Read the official announcement on the PyPI blog as well! For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digita…

Public

Embed Notice

HTML Code

Corresponding Notice