Techly NewsGet the app

Get the latest tech news

Attestations: A new generation of signatures on PyPI


Read the official announcement on the PyPI blog as well! For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digita…

The resulting tokens issued via this OIDC flow are short-lived and minimally-scoped, reducing an attacker’s ability to hoard them for future use or pivot between different projects with a single credential. This isn’t an acceptable end state (cryptographic attestations have defensive properties only insofar as they’re actually verified), so we’re looking into ways to bring verification to individual installing clients. Researchers: PEP 740 attestations are built on top of Sigstore, and provide a key verifiable missing link between source repositories and packages (as they appear on PyPI).

Get the Android app

Or read this on Hacker News

Read more on:

Photo of PyPI

PyPI

Photo of new generation

new generation

Photo of signatures

signatures

Related news:

News photo

PyPI now supports digital attestations

News photo

Probing unknown unknowns: A new generation of telescopes

News photo

‘Electric plastic’ could open door to new generation of implants and wearable tech | Self-assembling, biocompatible molecular ribbons can store energy and information

« The OpenFlexure 3D printable microscope