Oddbean new post about login | logout PyPI now supports digital attestations The Python Package Index (PyPI) has https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/ that it has finalized support for https://peps.python.org/pep-0740/ ("Index support for digital attestations"). https://www.trailofbits.com/ , which performed much of the development work for the implementation, has an <a href="https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/" rel="nofollow">in-depth blog post</a> about the work and its adoption, as well as what is left undone: One thing is notably missing from all of this work: downstream verification. [...] This isn't an acceptable end state (cryptographic attestations have defensive properties only insofar as they're actually verified), so we're looking into ways to bring verification to individual installing clients. In particular, we're currently working on a <a href="https://github.com/pypa/pip/issues/12766" rel="nofollow">plugin architecture for pip</a> that will enable users to <a href="https://github.com/trailofbits/pip-plugin-pep740" rel="nofollow">load verification logic</a> directly into their pip install flows. https://lwn.net/Articles/998215/