# What is PEP 740?


[PEP 740: Index support for digital attestations](https://peps.python.org/pep-0740/) defines how a package index such as [PyPI](https://pydevtools.com/handbook/explanation/what-is-pypi.md) accepts, stores, and serves cryptographically signed attestations for uploaded distributions. Accepted and marked Final in 2024, it standardizes the answer to a question installers could not previously ask: who actually published this file?

## What an Attestation Proves

A digital attestation is a signed statement bound to a specific distribution file (a wheel or sdist). It records the identity that produced the file and the artifact's hash, signed so that anyone can verify the binding without trusting the index to be honest.

The signature covers *who published the file*, not *what the file contains*. A reader can already inspect a wheel's contents; what they cannot otherwise confirm is whether the upload came from the project's real release pipeline or from an attacker who stole a token. An attestation closes that gap.

## Why the Index Needs a Standard

Sigstore and in-toto existed before PEP 740. What was missing was an agreement on how an index ingests these attestations and hands them back. PEP 740 specifies that contract:

- An **upload API** that accepts attestation objects alongside each distribution
- **Retrieval** of those attestations through PyPI's HTML and JSON indexes, so installers can fetch them at resolve time
- A fixed **attestation object format** every index and client can parse

Without that shared format, each tool would invent its own way to attach and read provenance, and an installer would have no guarantee that an attestation was present or parseable.

## The Attestation Format

PEP 740 attestations are [in-toto](https://in-toto.io/) v1 `Statement` objects signed through [Sigstore](https://www.sigstore.dev/). The signature uses ECDSA over the NIST P-256 curve with SHA-256 digests. A statement binds a subject (the distribution and its hash) to a predicate (the provenance claim):

```json
{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [
    { "name": "example-1.0-py3-none-any.whl",
      "digest": { "sha256": "..." } }
  ],
  "predicateType": "https://slsa.dev/provenance/v1",
  "predicate": { "buildDefinition": "...", "runDetails": "..." }
}
```

Sigstore's keyless signing removes the key-management burden for open source. Instead of maintaining a long-lived private key, a publisher signs with a short-lived certificate tied to an OpenID Connect (OIDC) identity, the same identity that [trusted publishing](https://pydevtools.com/handbook/explanation/why-use-trusted-publishing-for-pypi.md) already uses. For a package built in GitHub Actions, that identity is the workflow itself.

## How Publishing and Verification Work

On the publishing side, the [PyPA publish action](https://github.com/pypa/gh-action-pypi-publish) generates and uploads attestations by default when a release runs through trusted publishing. The [`pypi-attestations`](https://github.com/pypi/pypi-attestations) CLI does the same for other workflows, including [uv](https://pydevtools.com/handbook/reference/uv.md) publishes.

On the reading side, every release file on pypi.org shows a Provenance badge linking back to the workflow that produced it. For programmatic checks, the PyPI Integrity API exposes the signing identity and source workflow for each artifact. [pip](https://pydevtools.com/handbook/reference/pip.md) and uv do not yet reject unsigned packages by default; attestations today are evidence a consumer can record and audit rather than an install-time gate.

## Why a leaked token no longer hides an attack

Before PEP 740, a leaked upload token let an attacker publish a malicious release that looked identical to a legitimate one. With attestations recorded, that release carries a different publisher identity, and a consumer who pins identities (for example, by writing them into a [pylock.toml](https://pydevtools.com/handbook/explanation/what-is-pep-751.md) lockfile) sees the change as a reviewable diff. The attack no longer happens silently.

## Learn More

- [PEP 740: Index support for digital attestations](https://peps.python.org/pep-0740/)
- [How to publish Python packages with digital attestations](https://pydevtools.com/handbook/how-to/how-to-publish-python-packages-with-digital-attestations.md) walks through the GitHub Actions setup
- [Why use trusted publishing for PyPI](https://pydevtools.com/handbook/explanation/why-use-trusted-publishing-for-pypi.md) explains the OIDC identity attestations rely on
- [Sigstore](https://www.sigstore.dev/) provides the keyless signing infrastructure
- [PyPI attestation documentation](https://docs.pypi.org/attestations/)