Skip to content

Add Sigstore workspace attestations#112

Open
jezdez wants to merge 10 commits into
mainfrom
fix/sigstore-workspace-attestations
Open

Add Sigstore workspace attestations#112
jezdez wants to merge 10 commits into
mainfrom
fix/sigstore-workspace-attestations

Conversation

@jezdez

@jezdez jezdez commented Jun 15, 2026

Copy link
Copy Markdown
Member

Summary

  • Add Sigstore DSSE/in-toto workspace attestations for manifest and conda.lock provenance.
  • Wire signing and verification into conda workspace lock, install, archive, and unarchive, including fail-closed CLI guardrails for verification/signing flags.
  • Document the attestation schema and verification contract, add the signing extra, and expand CLI/archive/attestation tests.

Fixes #62.

Validation

  • pixi run -e test pytest
  • pixi run ruff check
  • pixi run typecheck
  • pixi run format-check
  • pixi run -e docs docs

Notes

  • Raw full-tree pixi run ruff format --check still reports unrelated untracked demos/generate-voiceover.py; the project-scoped pixi run format-check passes.

@jezdez jezdez marked this pull request as ready for review June 16, 2026 09:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Sigstore solve attestations for lockfiles and archives

1 participant