Support attestations from Google Cloud publishers #18004
Description
Attestations are not currently supported with Google Cloud publishers.
Sub-issue of #17001.
Full end-to-end workflow:
$ cat setup.py
from setuptools import setup
setup(
name="gcb-attestation-test",
version="0.0.0",
)
$ python -m build --sdist
* Creating isolated environment: venv+pip...
* Installing packages in isolated environment:
- setuptools >= 40.8.0
* Getting build dependencies for sdist...
running egg_info
creating src/gcb_attestation_test.egg-info
writing src/gcb_attestation_test.egg-info/PKG-INFO
writing dependency_links to src/gcb_attestation_test.egg-info/dependency_links.txt
writing top-level names to src/gcb_attestation_test.egg-info/top_level.txt
writing manifest file 'src/gcb_attestation_test.egg-info/SOURCES.txt'
reading manifest file 'src/gcb_attestation_test.egg-info/SOURCES.txt'
writing manifest file 'src/gcb_attestation_test.egg-info/SOURCES.txt'
* Building sdist...
running sdist
running egg_info
writing src/gcb_attestation_test.egg-info/PKG-INFO
writing dependency_links to src/gcb_attestation_test.egg-info/dependency_links.txt
writing top-level names to src/gcb_attestation_test.egg-info/top_level.txt
reading manifest file 'src/gcb_attestation_test.egg-info/SOURCES.txt'
writing manifest file 'src/gcb_attestation_test.egg-info/SOURCES.txt'
warning: sdist: standard file not found: should have one of README, README.rst, README.txt, README.md
running check
creating gcb_attestation_test-0.0.0
creating gcb_attestation_test-0.0.0/src
creating gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
copying files to gcb_attestation_test-0.0.0...
copying setup.py -> gcb_attestation_test-0.0.0
copying src/__init__.py -> gcb_attestation_test-0.0.0/src
copying src/gcb_attestation_test.egg-info/PKG-INFO -> gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
copying src/gcb_attestation_test.egg-info/SOURCES.txt -> gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
copying src/gcb_attestation_test.egg-info/dependency_links.txt -> gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
copying src/gcb_attestation_test.egg-info/top_level.txt -> gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
copying src/gcb_attestation_test.egg-info/SOURCES.txt -> gcb_attestation_test-0.0.0/src/gcb_attestation_test.egg-info
Writing gcb_attestation_test-0.0.0/setup.cfg
Creating tar archive
removing 'gcb_attestation_test-0.0.0' (and everything under it)
Successfully built gcb_attestation_test-0.0.0.tar.gz
$ python -m pypi_attestations sign dist/gcb_attestation_test-0.0.0.tar.gz
$ python -m pypi_attestations inspect dist/gcb_attestation_test-0.0.0.tar.gz.publish.attestation
Warning: The information displayed below are not verified, they are only displayed. Use the verify command to verify them.
File: dist/gcb_attestation_test-0.0.0.tar.gz.publish.attestation
Version: 1
Statement:
Type: https://in-toto.io/Statement/v1
Subject:
gcb_attestation_test-0.0.0.tar.gz (digest: 461317362419124b6012e855423a9078d6de8aed3e74fa78cc74d669b23dc6cf)
Predicate type: https://docs.pypi.org/attestations/publish/v1
Predicate: None
Certificate:
Subjects (suitable for `--identity`): ['[email protected]']
Issuer: CN=sigstore-intermediate,O=sigstore.dev
Validity: 2025-04-21 15:12:27+00:00
Transparency Log (1 entries):
Log Index: 200170367
$ python -m pypi_attestations verify attestation --identity [email protected] dist/gcb_attestation_test-0.0.0.tar.gz
OK: dist/gcb_attestation_test-0.0.0.tar.gz.publish.attestation
$ twine upload --attestations dist/*
Uploading distributions to https://upload.pypi.org/legacy/
Uploading gcb_attestation_test-0.0.0.tar.gz
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7.9/7.9 kB • 00:00 • ?
WARNING Error during upload. Retry with the --verbose option for more details.
ERROR HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/
Invalid attestations supplied during upload: Attestations are not currently supported with Google publishers