PEP 740 is a Python standard for defining cryptographically verifiable attestations hosted by indices like PyPI.
Attestations are digitally signed, publicly verifiable statements about Python packages, including their provenance (e.g., the exact source repository that produced them).
Attestations are built on top of Sigstore and use short-lived signing keys bound to trusted identities (like Trusted Publishers), making them misuse-resistant and less susceptible to key loss and theft.
This site shows the top 360 most-downloaded packages on PyPI showing which have been uploaded with attestations.
Packages that are known to be deprecated are not included (for example, distribute). If your package is incorrectly listed, please create a ticket.
Using a Trusted Publisher is the easiest way to enable attestations, since they come baked in! See the PyPI user docs and official PyPA publishing action to get started.
For projects already using the official PyPA publishing action, you can upgrade to v1.11.0 or later to automatically enable attestations for the next release of the project. We recommend upgrading to the latest version of the action to receive any bug fixes.
Fantastic, a problem found is a problem fixed. Please create a ticket!
You can also submit a pull-request.
Note: Requests for behavioural changes in the packaging tools themselves should be directed to discuss.python.org and the Python Packaging Authority.
This is a derivative work of Free-Threaded Wheels, which is itself a derivative of Python Wheels, a site that tracks which Python distributions ship the wheel distribution. The top 360 list comes from Top PyPI Packages.
Thanks also to the many contributors.