-
We completed our initial "backfill" attestation round for
homebrew-core, meaning that all bottles served byhomebrew-corenow either have a direct build provenance from Homebrew's own CI or have a "backfill" attestation signed bytrailofbits/homebrew-brew-verifywith workflow identity.github/workflows/backfill_signatures.yml@refs/heads/main.The full set of backfilled attestations can be viewed here: https://github.com/trailofbits/homebrew-brew-verify/attestations.
-
We completed an initial round of verification API refactoring in
sigstore-python, in preparation for DSSE signature verification support: sigstore/sigstore-python#904, sigstore/sigstore-python#930, sigstore/sigstore-python#935, sigstore/sigstore-python#945. -
We performed a 2.1.3 release of
sigstore-python, including a fix for thesigstore-protobuf-specssubdependency: https://pypi.org/project/sigstore/2.1.3/.
-
We are continuing our work on a
brew verifysubcommand for provenance verification, including a fallback for "backfilled" attestations. -
We are continuing our refactoring and development work on
sigstore-python's verification APIs, in preparation for DSSE signature verification support: sigstore/sigstore-python#937. -
We are preparing a SOSS Community Day NA presentation on the overall status of the work.