From b49849d6b72684024eda25e94a85d6a15c0467e7 Mon Sep 17 00:00:00 2001 From: Lucas Cimon <925560+Lucas-C@users.noreply.github.com> Date: Mon, 16 Dec 2024 12:33:06 +0100 Subject: [PATCH 1/2] Doc: explaining how to verify provenance + introducing guarddog in CI --- docs/index.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/index.md b/docs/index.md index 79c5f5ae2..f64019790 100644 --- a/docs/index.md +++ b/docs/index.md @@ -83,6 +83,19 @@ pip install git+https://github.com/py-pdf/fpdf2.git@master **Developement**: check the [dedicated documentation page](Development.md). +### Verifying provenance +`sigstore` can be used to check the provenance of a `fpdf2-2.X.Y.tar.gz` package. + +Example to check that [`fpdf2-2.8.2.tar.gz` package on Pypi](https://pypi.org/project/fpdf2/#fpdf2-2.8.2.tar.gz) can be linked to the `git` commit [b9cfbb6d8ca1eb034e826fd358194e899a1daf28](https://github.com/py-pdf/fpdf2/commit/b9cfbb6d8ca1eb034e826fd358194e899a1daf28) on the [py-pdf/fpdf2](https://github.com/py-pdf/fpdf2) GitHub repository: + +```shell +pip install sigstore + +wget https://files.pythonhosted.org/packages/b0/54/0e86f986e81abad9e6b348f5176048a2aa046920d46292c42a581064d93e/fpdf2-2.8.2.tar.gz + +sigstore verify github fpdf2-2.8.2.tar.gz --repository=py-pdf/fpdf2 --sha b9cfbb6d8ca1eb034e826fd358194e899a1daf28 +``` + ### Displaying deprecation warnings `DeprecationWarning`s are not displayed by Python by default. From e37fbaa85b806a0b9242169a539dd5e340507f08 Mon Sep 17 00:00:00 2001 From: Lucas Cimon <925560+Lucas-C@users.noreply.github.com> Date: Mon, 13 Jan 2025 15:54:31 +0100 Subject: [PATCH 2/2] Update --- docs/index.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/index.md b/docs/index.md index f64019790..11a280214 100644 --- a/docs/index.md +++ b/docs/index.md @@ -84,18 +84,20 @@ pip install git+https://github.com/py-pdf/fpdf2.git@master **Developement**: check the [dedicated documentation page](Development.md). ### Verifying provenance -`sigstore` can be used to check the provenance of a `fpdf2-2.X.Y.tar.gz` package. +[`pypi-attestations`](https://pypi.org/project/pypi-attestations/) can be used to check the provenance of a `fpdf2-2.X.Y.tar.gz` or `fpdf2-2.X.Y-py2.py3-none-any.whl` package. -Example to check that [`fpdf2-2.8.2.tar.gz` package on Pypi](https://pypi.org/project/fpdf2/#fpdf2-2.8.2.tar.gz) can be linked to the `git` commit [b9cfbb6d8ca1eb034e826fd358194e899a1daf28](https://github.com/py-pdf/fpdf2/commit/b9cfbb6d8ca1eb034e826fd358194e899a1daf28) on the [py-pdf/fpdf2](https://github.com/py-pdf/fpdf2) GitHub repository: +Example to check that the [`fpdf2-2.8.2.tar.gz` package on Pypi](https://pypi.org/project/fpdf2/#fpdf2-2.8.2.tar.gz) has been published from the [py-pdf/fpdf2](https://github.com/py-pdf/fpdf2) GitHub repository: ```shell -pip install sigstore +$ pip install pypi-attestations -wget https://files.pythonhosted.org/packages/b0/54/0e86f986e81abad9e6b348f5176048a2aa046920d46292c42a581064d93e/fpdf2-2.8.2.tar.gz - -sigstore verify github fpdf2-2.8.2.tar.gz --repository=py-pdf/fpdf2 --sha b9cfbb6d8ca1eb034e826fd358194e899a1daf28 +$ pypi-attestations verify pypi + --repository https://github.com/py-pdf/fpdf2 https://files.pythonhosted.org/packages/eb/46/7aae9cb2584dcac217e662ab6d4670ef4e447b73d624b6210f7155322411/fpdf2-2.8.2-py2.py3-none-any.whl +OK: fpdf2-2.8.2-py2.py3-none-any.whl ``` +The file URL can be retrieved from the [pypi.org/simple/fpdf2 page](https://pypi.org/simple/fpdf2/). + ### Displaying deprecation warnings `DeprecationWarning`s are not displayed by Python by default.