Are we PEP 740 yet? 🔏

What is PEP 740?

PEP 740 is a Python standard for defining cryptographically verifiable attestations hosted by indices like PyPI.

What are attestations?

Attestations are digitally signed, publicly verifiable statements about Python packages, including their provenance (e.g., the exact source repository that produced them).

Attestations are built on top of Sigstore and use short-lived signing keys bound to trusted identities (like Trusted Publishers), making them misuse-resistant and less susceptible to key loss and theft.

What is this list?

This site shows the top 360 most-downloaded packages on PyPI showing which have been uploaded with attestations.

  • Green packages with a 🔏 offer attestations for their latest release
  • Uncolored packages with a ⏰ were last uploaded before attestations were available
  • Yellow packages come from supported hosts, but have no attestations uploaded (yet!)
  • Magenta packages come from source hosts that can't generate PEP 740 attestations (yet!)

Packages that are known to be deprecated are not included (for example, distribute). If your package is incorrectly listed, please create a ticket.

My package is uncolored. What can I do?

Using a Trusted Publisher is the easiest way to enable attestations, since they come baked in! See the PyPI user docs and official PyPA publishing action to get started.

For projects already using the official PyPA publishing action, you can upgrade to v1.11.0 or later to automatically enable attestations for the next release of the project. We recommend upgrading to the latest version of the action to receive any bug fixes.

Something's wrong with this page!

Fantastic, a problem found is a problem fixed. Please create a ticket!

You can also submit a pull-request.

Note: Requests for behavioural changes in the packaging tools themselves should be directed to discuss.python.org and the Python Packaging Authority.

Thanks

This is a derivative work of Free-Threaded Wheels, which is itself a derivative of Python Wheels, a site that tracks which Python distributions ship the wheel distribution. The top 360 list comes from Top PyPI Packages.

Thanks also to the many contributors.

pythonwheels.com requires javascript to be enabled to display the list of packages.