PyPI now supports digital attestations

The Python Package Index (PyPI) has https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/

that it has finalized support for https://peps.python.org/pep-0740/
 ("Index support
for digital attestations"). https://www.trailofbits.com/
, which performed
much of the development work for the implementation, has an <a href="https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/" rel="nofollow">in-depth
blog post</a> about the work and its adoption, as well as what is left
undone:


One thing is notably missing from all of this work:
downstream verification. [...]

This isn't an acceptable end state (cryptographic attestations have
defensive properties only insofar as they're actually
verified), so we're looking into ways to bring
verification to individual installing clients. In particular, we're
currently working on a <a href="https://github.com/pypa/pip/issues/12766" rel="nofollow">plugin architecture
for pip</a> that will enable users to <a href="https://github.com/trailofbits/pip-plugin-pep740" rel="nofollow">load
verification logic</a> directly into their pip install
flows.




https://lwn.net/Articles/998215/