-
Notifications
You must be signed in to change notification settings - Fork 981
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Store attestations for PEP740 #16302
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Conflicts: # warehouse/forklift/legacy.py
DarkaMaul
commented
Jul 18, 2024
25 tasks
facutuesca
reviewed
Jul 19, 2024
facutuesca
suggested changes
Jul 25, 2024
warehouse/migrations/versions/7a195fd3f903_create_release_attestations_table.py
Outdated
Show resolved
Hide resolved
woodruffw
reviewed
Jul 25, 2024
Let put this one on hold until trailofbits/pypi-attestations#36 is merged. |
Exactly |
di
reviewed
Aug 15, 2024
woodruffw
reviewed
Aug 15, 2024
…te Provenance related objects
# Conflicts: # warehouse/forklift/legacy.py
DarkaMaul
force-pushed
the
dm/store-attestations
branch
from
August 16, 2024 12:16
6d35ff3
to
eec0b46
Compare
di
reviewed
Aug 19, 2024
di
approved these changes
Aug 21, 2024
woodruffw
reviewed
Aug 21, 2024
Signed-off-by: William Woodruff <william@trailofbits.com>
di
added a commit
to di/warehouse
that referenced
this pull request
Aug 21, 2024
This reverts commit 5545884.
di
added a commit
that referenced
this pull request
Aug 21, 2024
woodruffw
added a commit
to trail-of-forks/warehouse
that referenced
this pull request
Aug 21, 2024
This reverts commit da7e1ed.
This was referenced Aug 26, 2024
ewdurbin
pushed a commit
that referenced
this pull request
Sep 3, 2024
* Reapply "Store attestations for PEP740 (#16302)" (#16545) This reverts commit da7e1ed. * migrations: re-roll migration history Signed-off-by: William Woodruff <william@trailofbits.com> * config: register .attestations for inclusion Signed-off-by: William Woodruff <william@trailofbits.com> * attestations: request the appropriate IFileStorage service IFileStorage requires a name to disambiguate it. Signed-off-by: William Woodruff <william@trailofbits.com> * conftest: add archive_files.path to get_app_config Signed-off-by: William Woodruff <william@trailofbits.com> * test, warehouse: remove problematic mocks This removes two mocked `db_request`s from the simple index tests. These mocks were masking larger architectural issues with both attestations and our test scaffolding for attestations. This isn't quite complete yet, since it does a nasty thing (uses a file storage with a tmpdir) to get IntegrityService initialization working. Signed-off-by: William Woodruff <william@trailofbits.com> * test_services: rename test class Signed-off-by: William Woodruff <william@trailofbits.com> * Try to clean a bit the mess with the migrations. * begin refactoring IntegrityService This reduces the overall API surface for IIntegrityService implementers, and adds an initial NullIntegrityService to make unit-level testing simpler. Signed-off-by: William Woodruff <william@trailofbits.com> * Revert "Try to clean a bit the mess with the migrations." This reverts commit e19be6c. * tests, warehouse: more error tests, remove more stubs Signed-off-by: William Woodruff <william@trailofbits.com> * test_services: fix match Signed-off-by: William Woodruff <william@trailofbits.com> * remove more implicit file service deps Signed-off-by: William Woodruff <william@trailofbits.com> * continue to burn down coverage Remove more ad-hoc stubs as well. Signed-off-by: William Woodruff <william@trailofbits.com> * full coverage Signed-off-by: William Woodruff <william@trailofbits.com> * test_simple: positive provenance test for /simple Signed-off-by: William Woodruff <william@trailofbits.com> * tests: minimize, increase confidence in behavior Signed-off-by: William Woodruff <william@trailofbits.com> * Update warehouse/config.py Co-authored-by: dm <darkamaul@hotmail.fr> * packaging/test_utils: remove another mock Signed-off-by: William Woodruff <william@trailofbits.com> * Remove even more mocks * Update tests/conftest.py Co-authored-by: William Woodruff <william@yossarian.net> * Update test_create_service * Add a functional test * Linting * Fixup migration * Fix test error * Revert change * Apply suggestions from code review Rename key Co-authored-by: Dustin Ingram <di@users.noreply.github.com> * Revert "Apply suggestions from code review " This reverts commit 52931a1. * Give the IntegrityService access to the session * Add the Attestation object to the session * Update the functional test with more assertions * Remove vestigial helper * Update functional test --------- Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alexis <alexis.challande@trailofbits.com> Co-authored-by: dm <darkamaul@hotmail.fr> Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
This PR follows #16063 and #15952 and build on them.
After verifying attestations, this PR introduces their storage and retrieval when needed.
Main changes
At upload time
storage
service.Provenance
file is generated and stored with the release fileAt download time
simple
API (JSON/HTML), if attestations exist for the release :provenance
with the sha256 of the provenance file is setdata-provenance
is set with the same valueImplementations choices
TODOs
/cc @woodruffw @facutuesca