PyPI package maintainers can now publish signed digital attestations to increase trust in their projects’ supply-chain security. Over 20,000 attestations have already been published, marking PyPI’s support for PEP 740. Rather than using PGP signatures, attestations are signed by an identity, providing a link to the upstream source repository and ensuring verifiability upon upload. PyPI offers an Integrity API and web UI for consumers to access attestations. While automatic attestation generation is default for some projects, manual generation is also an option. Funding and support for PEP 740 were provided by various organizations and individuals.
https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/