https://www.bestpractices.dev: Silver Badge

[andife]

Hello,

I want to work towards the Silver Badge with the project github.com/onnx/onnx.
https://www.bestpractices.dev/en/projects/3313/silver#security

I am currently working on the following point.:
https://www.bestpractices.dev/en/projects/3313/silver#security

Secure release
"The project MUST cryptographically sign releases of the project results intended for widespread use, and there MUST be a documented process explaining to users how they can obtain the public signing keys and verify the signature(s). The private key for these signature(s) MUST NOT be on site(s) used to directly distribute the software to the public. If releases are not intended for widespread use, select "not applicable" (N/A). [signed_releases]
The project results include both source code and any generated deliverables where applicable (e.g., executables, packages, and containers). Generated deliverables MAY be signed separately from source code. These MAY be implemented as signed git tags (using cryptographic digital signatures). Projects MAY provide generated results separately from tools like git, but in those cases, the separate results MUST be separately signed."

Could I achieve that with "gh-action-pypi-publish"? How Could I verify the signatures in that case? Or am I overlooking something? And do I need a separate step with sigstore after all?

Thank you

[facutuesca]

The project results include both source code and any generated deliverables where applicable (e.g., executables, packages, and containers)

Hi @andife ! This action will sign over the artifacts it uploads to PyPI. If these artifacts (source distributions and wheels) are all the "generated derivables" of the project, then that should cover it.

How Could I verify the signatures in that case?

You can use pypy-attestations

[andife]

Thank you