PyPI's Sigstore-powered attestations are now generally available
Check out the PyPI blog and Trail of Bits blog for more user-facing and technical details, respectively! Over the past year, the Google Open Source Security Team and Trail of Bits have worked together to implement PEP 740, a Python packaging standard that allows users to upload Sigstore-based attestations to the Python Package Index. Today we’re pleased to announce that attestation support on PyPI is generally available, meaning that project maintainers can submit attestations for both PyPI and downstream users to verify.