You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Changed
The inspect subcommand now ignores inputs that don't match *.attestation,
rather than failing on them
(#93)
Added
The CLI subcommand verify attestation now supports .slsa.attestation
files. When verifying an artifact, both .publish.attestation and .slsa.attestation files are used (if present).
The CLI subcommand verify pypi now supports a friendlier
syntax to specify the artifact to verify. The artifact can now be
specified with a pypi: prefix followed by the filename, e.g: pypi:sampleproject-1.0.0.tar.gz. The old way (passing
the direct URL) is still supported.
The CLI subcommand verify pypi now supports passing the local paths
to the artifact and its provenance file, allowing the user to verify
files already downloaded from PyPI. The artifact path is passed as
usual, whereas the provenance file path is passed using the --provenance-file option.
