[Roadmap] Implement PEP 740

[PEP 740](https://peps.python.org/pep-0740/) is in a final but not yet approved state. This issue is intended to lay out the dependencies/subcomponents of its implementing, including things that can be done in a preliminary manner.

## Index side

- [x] Support the `attestations` form field in the current legacy upload endpoint
  - [x] https://github.com/pypi/warehouse/pull/15952
- [x] Parse each received attestation from `attestations` and verify each against the uploading trusted publisher; fail the file upload if any attestations are invalid
  * This should be done in as generic a manner as possible, to ensure that future extension to email and key identities is possible.
  - [x] https://github.com/pypi/warehouse/pull/15952
  - [x] https://github.com/pypi/warehouse/pull/16304
  - [x] https://github.com/pypi/warehouse/pull/16302
- [x] Persist verified attestations and expose them via the PEP 503 and Simple JSON API indices (via provenance objects, as specified in PEP 740)
  - [x] https://github.com/pypi/warehouse/issues/14799
  - [x] https://github.com/pypi/warehouse/issues/14727
  - [x] https://github.com/pypi/warehouse/pull/16546

## Uploader/publish side

- [x] Support attestation generation in `gh-action-pypi-publish`
  * Concretely, this means `gh-action-pypi-publish` should use `sigstore-python` to sign the attestation payload defined in PEP 740
  * The resulting bundle should be transformed into a PEP 740 attestation object
  - [x] https://github.com/pypa/gh-action-pypi-publish/pull/236
  - [x] https://github.com/pypa/gh-action-pypi-publish/pull/245
- [x] Support attestation uploading in `twine`: https://github.com/pypa/twine/issues/1094
  - [x] https://github.com/pypa/twine/pull/1095
  - [x] https://github.com/pypa/twine/pull/1098
  - [x] https://github.com/pypa/twine/pull/1099
  - [x] https://github.com/pypa/twine/pull/1101
  - [x] https://github.com/pypa/twine/pull/1107
- [x] Once `twine` supports uploading, `gh-action-pypi-publish` should use that support to actually upload the attestation objects it generates above

## Docs & UI
- [x] Update all relevant docs (PyPI's docs, PyPUG)
  - [x] ~~https://github.com/pypi/warehouse/pull/16063~~
  - [x] https://github.com/pypi/warehouse/pull/16398
- [x] https://github.com/pypi/warehouse/issues/16491
- [x] https://github.com/pypi/warehouse/pull/17070

CC @di @webknjaz @facutuesca for visibility

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Roadmap] Implement PEP 740 #15871

Index side

Uploader/publish side

Docs & UI

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[Roadmap] Implement PEP 740 #15871

Description

Index side

Uploader/publish side

Docs & UI

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions