How should I include SLSA provenance?

[jmgate]

Howdy folks 👋. I'm trying to add the SLSA provenance generator reusable workflow to my release workflow, but I'm not sure how the multiple.intoto.jsonl file should be included in the release when publishing to PyPI. I tried downloading the build artifacts into dist, and then downloading the JSONL file there as well, but then this action complains

Checking dist/multiple.intoto.jsonl: ERROR    InvalidDistribution: Unknown distribution format:                      
         'multiple.intoto.jsonl'

Question: What's the right way to include this attestation in what gets uploaded to PyPI? Any advice is greatly appreciated. Many thanks 🙂.

Full workflow file, for reference…

name: Semantic Release
on:
  push:
    branches:
      - master
permissions:
  contents: read
concurrency:
  group: release
jobs:
  release:
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
      with:
        egress-policy: audit
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        fetch-depth: 0
        token: ${{ secrets.GH_TOKEN }}
    - name: Python Semantic Release
      id: release
      uses: python-semantic-release/python-semantic-release@2896129e02bb7809d2cf0c1b8e9e795ee27acbcf # v10.2.0
      with:
        git_committer_email: "[email protected]"
        git_committer_name: "semantic-release"
        github_token: ${{ secrets.GH_TOKEN }}
        ssh_private_signing_key: ${{ secrets.SEMANTIC_RELEASE_PRIVATE_KEY }}
        ssh_public_signing_key: ${{ secrets.SEMANTIC_RELEASE_PUBLIC_KEY }}
    - name: Hash Build Artifacts
      if: steps.release.outputs.released == 'true'
      id: hash
      run: |
        cd dist
        echo "hashes=$(find . -type f -exec sha256sum {} + | sort | base64 | tr -d '\n')" >> "$GITHUB_OUTPUT"
    - name: Upload Build Artifacts
      if: steps.release.outputs.released == 'true'
      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
      with:
        name: dist
        path: dist/
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
      released: ${{ steps.release.outputs.released }}
  provenance:
    needs: release
    if: ${{ needs.release.outputs.released == 'true' }}
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
    with:
      base64-subjects: "${{ needs.release.outputs.hashes }}"
  publish:
    runs-on: ubuntu-latest
    needs: [release, provenance]
    if: ${{ needs.release.outputs.released == 'true' && needs.provenance.outputs.outcome == 'success' }}
    environment: release
    permissions:
      id-token: write
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
      with:
        egress-policy: audit
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        fetch-depth: 0
        token: ${{ secrets.GH_TOKEN }}
    - name: Download Build Artifacts
      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
      with:
        name: dist
        path: dist
    - name: Download Provenance
      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
      with:
        name: ${{ needs.provenance.outputs.provenance-name }}
        path: dist
    - name: Publish to GitHub Releases
      uses: python-semantic-release/publish-action@b717f67f7e7e9f709357bce5a542846503ce46ec # v10.2.0
      with:
        github_token: ${{ secrets.GH_TOKEN }}
    - name: Publish to PyPI
      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1

[webknjaz]

You can't, it's not something PyPI would accept. Keep it separate. You can put it into a GitHub Release instead.

[jmgate]

If that's the solution, that's fine, but the PyPI docs state that SLSA provenance is an allowed attestation predicate:

[webknjaz]

Yes, as a format, I suppose. But when not made with the correct identity, it will be rejected. Also, I don't know if twine supports uploading those, that's what outputs that error. Anyway, this action was never designed to upload arbitrarily created signatures it didn't produce.

@woodruffw might be able to shed some light..

[woodruffw]

Hey @jmgate, you're seeing that because PyPI expects an attestation object, not a Sigstore bundle (or a JSONL).

So, there are a few moving pieces here:

• Does your multiple.into.jsonl contain multiple Sigstore bundles? If so, they'll need to each be broken out and turned into a separate attestation object for twine and other tools to upload them correctly.
• Are your attestations using the SLSA predicate type? Warehouse (PyPI) strictly enforces SLSA v1 here, via this constant.
• Once you've confirmed those, you can massage a Sigstore bundle into the attestation object format by using pypi-attestation's API or CLI. Specifically, you'll probably need Attestation.from_bundle.

TL;DR: You're seeing that because (unfortunately, IMO) all of these components speak different "envelope" formats, even though they're all using the same stuff under the hood (Sigstore, in-toto, SLSA, etc.). You'll need to get things into a Sigstore bundle-ish shape for the Python tooling to take over from there 🙂