Skip to content

feat: add pypi attestation discovery #1067

New issue

Have a question about this project? No Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

No Sign up for GitHub

By clicking “No Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? No Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add pypi attestation discovery #1067

wants to merge 3 commits into from

Conversation

benmss
Copy link
Member

@benmss benmss commented Apr 24, 2025

Summary

This PR adds discovery of PyPI attestation. URLs to these attestation files are sought via the deps.dev API.

Description of changes

  • DepsDevRepoFinder was updated to use the DepsDevService, ensuring consistent and easily configurable use of the API
  • Tests were added for DepsDevRepoFinder functions (they were not added previously), including for the functions that PyPI attestation discovery relies upon.
  • PyPI attestations do not have a predicate. The pypi-attestation is used to extract information from the attestation certificate. This information is coerced into a predicate for use elsewhere within Macaron.
  • Addition of an integration test case using the ultralytics Python library as its target.

Related issues

Closes #947

@benmss benmss self-assigned this Apr 24, 2025
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Apr 24, 2025
@benmss
feat: add pypi attestation discovery
a362d7c 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss benmss force-pushed the 947-discover-pypi-attestation branch from b97a9cb to a362d7c Compare April 24, 2025 04:28
@benmss
chore: keep encoding of purls consistent
6d7cf95 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss benmss force-pushed the 947-discover-pypi-attestation branch from 2df212b to 6d7cf95 Compare April 24, 2025 06:31
@benmss
chore: add config to repo finder tests
3df9273 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss benmss marked this pull request as ready for review April 24, 2025 13:00
@benmss benmss requested review from behnazh-w and tromai as code owners April 24, 2025 13:00
tromai
tromai reviewed Apr 29, 2025
View reviewed changes
src/macaron/provenance/provenance_extractor.py
logger.debug("No predicate in payload statement.")
return None, None

repo = json_extract(predicate, ["sourceUri"], str)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the documentation for the predicate of https://docs.pypi.org/attestations/publish/v1/, currently its content is not defined. I wonder if the sourceUri and sourceDigest was copied from an existing implementation or it's purposely put here to catch these data if they are available in the future?
I have decoded the statement of https://pypi.org/integrity/ultralytics/8.3.119/ultralytics-8.3.119.tar.gz/provenance and got

{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [
    {
      "name": "ultralytics-8.3.119.tar.gz",
      "digest": {
        "sha256": "497bdcf3eb1beb082f451d42e5af2a6af944693a5991c78a9b9b0ce538593153"
      }
    }
  ],
  "predicateType": "https://docs.pypi.org/attestations/publish/v1",
  "predicate": null
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I may have confused things by converting the certificate information into a predicate and attaching it to the pypi spec that has none. The type and the related function could be renamed to better distinguish them from the actual spec. The actual field names within the substitute predicate were chosen for simplicity, and loosely based on existing predicates I suppose.

No Sign up for free to join this conversation on GitHub. Already have an account? No Sign in to comment
Reviewers

@tromai tromai tromai left review comments

@behnazh-w behnazh-w Awaiting requested review from behnazh-w behnazh-w is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@benmss benmss

Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Obtain PyPI Publish Attestation
2 participants
@benmss @tromai