I built a CLI to verify PyPI package attestations before installing packages

Python developers install packages from PyPI every day with pip . Most of the time we trust that the package we install is exactly what the maintainer intended to publish. But questions often come up: Who actually published this release? Does the package have verifiable provenance? Has the repository changed since the last version? Are there any known vulnerabilities? To explore these questions, I built trustcheck . What trustcheck does trustcheck is a CLI tool that inspects trust signals for PyPI package releases. It helps answer questions about a package before you install it . The tool evaluates things like: PyPI release metadata package attestations repository association provenance signals vulnerability information The goal is to make it easier to understand the trust posture of a Python package release . Installation pip install trustcheck Example usage Inspect a release: trustcheck inspect sampleproject --version 4.0.0 Verify the expected repository: trustcheck inspect samplepro

I built a CLI to verify PyPI package attestations before installing packages

Related Articles

Building DNS query tool from scratch using C

How to build .NET obfuscator - Part I

How to Use Traceroute and MTR to Diagnose Network Issues

apt-key Deprecation: Add Repositories with GPG on Ubuntu

How To Use Variadic Functions in Go

Related Articles

How-To
Building DNS query tool from scratch using C
Reddit Programming • 1d ago

How-To
How to build .NET obfuscator - Part I
Reddit Programming • 2d ago

How-To
How to Use Traceroute and MTR to Diagnose Network Issues
DigitalOcean Tutorials • 1w ago

How-To
apt-key Deprecation: Add Repositories with GPG on Ubuntu
DigitalOcean Tutorials • 1w ago

How-To
How To Use Variadic Functions in Go
DigitalOcean Tutorials • 2w ago