feat(python): add GitHub provenance verification for prebuilt binaries (#8820)

malept · web-flow · commit bdd9eb661859 · 2026-03-30T10:26:15.000-05:00
## Problem

Precompiled Python binaries from `astral-sh/python-build-standalone`
lack provenance verification. Unlike Ruby (which already supports GitHub
Artifact Attestations), Python installs have no mechanism to verify that
downloaded binaries were actually produced by the expected CI workflow
in the expected repository.

Additionally, there is no downgrade protection: if a lockfile records
that provenance was previously verified, nothing prevents an attacker
from stripping that metadata and serving unverified binaries.

## Solution

Add GitHub Artifact Attestations support for precompiled Python
binaries, following the same pattern already established for Ruby:

1. **New setting**: `python.github_attestations` (env:
`MISE_PYTHON_GITHUB_ATTESTATIONS`) overrides the global
`github_attestations` setting specifically for Python. Defaults to the
global value (which is `true`).

2. **Lockfile provenance recording**: `mise lock` now records
`provenance = "github-attestations"` in Python platform entries when the
setting is enabled.

3. **Install-time verification**: `mise install` verifies downloaded
tarballs against GitHub Artifact Attestations using the sigstore
verification crate, with owner/repo hardcoded to
`astral-sh/python-build-standalone`.

4. **Downgrade protection**: If the lockfile records provenance but
verification is disabled at install time, the install fails with a
"downgrade attack" error, preventing provenance stripping attacks.

## Test plan

- [x] `mise run test:e2e test_lockfile_python` — all tests pass
- [x] Tests verify: provenance recorded when enabled, not recorded when
disabled, downgrade attack detected when lockfile has provenance but
verification is off
- [x] `mise run build` and `mise run lint` pass

🤖 Generated with the assistance of OpenCode (claude-opus-4.6).
diff --git a/docs/dev-tools/mise-lock.md b/docs/dev-tools/mise-lock.md
@@ -194,7 +194,7 @@ mise use node@24
 Backend support for lockfile features varies:
 
 - ✅ **Full support** (version + checksum + size + URL): `aqua`, `http`, `github`, `gitlab`
-  - _Provenance support_: `aqua`, `github`, `core:ruby` (precompiled binaries), `core:zig` (install-time)
+  - _Provenance support_: `aqua`, `github`, `core:python` (precompiled binaries), `core:ruby` (precompiled binaries), `core:zig` (install-time)
 - ⚠️ **Partial support** (version + URL + provenance): `vfox` (tool plugins only)
 - ⚠️ **Partial support** (version + checksum + size): `ubi`
 - 📝 **Basic support** (version + checksum): `core` (some tools)
diff --git a/e2e-win/python.Tests.ps1 b/e2e-win/python.Tests.ps1
@@ -1,5 +1,9 @@
 
 Describe 'python' {
+    BeforeAll {
+        $env:MISE_PYTHON_GITHUB_ATTESTATIONS = "0"
+    }
+
     It 'executes python 3.12.0' {
         mise x python@3.12.0 -- where python
         mise x python@3.12.0 -- python --version | Should -Be "Python 3.12.0"
diff --git a/e2e-win/uv.Tests.ps1 b/e2e-win/uv.Tests.ps1
@@ -1,5 +1,9 @@
 
 Describe 'uv' {
+  BeforeAll {
+    $env:MISE_PYTHON_GITHUB_ATTESTATIONS = "0"
+  }
+
   BeforeEach {
     $originalPath = Get-Location
     Set-Location TestDrive:
diff --git a/e2e/backend/test_pipx_deep_dependencies_slow b/e2e/backend/test_pipx_deep_dependencies_slow
@@ -21,6 +21,7 @@ assert_fail "pipx"
 
 # Use only precompiled python
 export MISE_PYTHON_COMPILE=0
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 
 # Set up a 3-step installation: python@3.12.3 > pipx@1.5.0 > pipx:mkdocs@1.6.0
 cat >.mise.toml <<EOF
diff --git a/e2e/backend/test_pipx_postinstall_hook b/e2e/backend/test_pipx_postinstall_hook
@@ -20,6 +20,7 @@ assert_fail "pipx"
 
 # Use precompiled python and uvx (the default)
 export MISE_PYTHON_COMPILE=0
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 export MISE_PIPX_UVX=1
 
 # Set up mise-managed Python with a pipx package that has a postinstall hook
diff --git a/e2e/backend/test_pipx_uvx b/e2e/backend/test_pipx_uvx
@@ -15,6 +15,7 @@ assert_fail "pipx"
 
 # Use precompiled python
 export MISE_PYTHON_COMPILE=0
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 export MISE_PIPX_UVX=1
 
 # Set up a 2-step installation: pipx@1.5.0 > pipx:mkdocs@1.6.0
diff --git a/e2e/backend/test_pipx_venv_symlink b/e2e/backend/test_pipx_venv_symlink
@@ -15,6 +15,7 @@ assert_fail "pipx"
 
 # Use precompiled python and disable uvx to use pipx (which uses mise's Python)
 export MISE_PYTHON_COMPILE=0
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 export MISE_PIPX_UVX=0
 
 # Set up mise-managed Python and pipx
diff --git a/e2e/core/test_python_github_attestations b/e2e/core/test_python_github_attestations
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Test GitHub artifact attestations verification for Python precompiled binaries
+# Depends on GitHub Releases and Attestations APIs; may fail due to rate limits or outages.
+
+export MISE_PYTHON_COMPILE=0
+export MISE_PYTHON_GITHUB_ATTESTATIONS=1
+
+# Use a recent Python version that has attestations in python-build-standalone.
+# Older releases (e.g. 3.12.3) predate GitHub attestation support and will fail.
+output=$(mise install python@3.13.5 2>&1) || true
+echo "$output"
+
+# Verify attestation verification was attempted and succeeded
+assert_contains "echo \"$output\"" "verify GitHub artifact attestations"
+assert_contains "echo \"$output\"" "✓ GitHub artifact attestations verified"
+
+# Verify the installed Python works
+assert "mise x python@3.13.5 -- python --version" "Python 3.13.5"
diff --git a/e2e/core/test_python_precompiled b/e2e/core/test_python_precompiled
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
 export MISE_PYTHON_COMPILE=0
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 assert_contains "mise use python@3.12.3 2>&1" "cpython-"
 assert_contains "mise x -- python --version" "Python 3.12.3"
 
diff --git a/e2e/core/test_python_uv_venv b/e2e/core/test_python_uv_venv
@@ -3,6 +3,7 @@
 set -euo pipefail
 
 export MISE_EXPERIMENTAL=1
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 
 # Test uv is used for manually defined venv
 cat >mise.toml <<EOF
diff --git a/e2e/core/test_python_uv_venv_x_tiny b/e2e/core/test_python_uv_venv_x_tiny
@@ -4,6 +4,7 @@
 set -euo pipefail
 
 export MISE_EXPERIMENTAL=1
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 
 cat >.mise.toml <<EOF
 [tools]
diff --git a/e2e/core/test_python_venv b/e2e/core/test_python_venv
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
 export MISE_PYTHON_DEFAULT_PACKAGES_FILE="$HOME/.default-python-packages"
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 
 cat >.mise.toml <<EOF
 [env._.python]
diff --git a/e2e/core/test_python_venv_with_go_backend_deadlock_slow b/e2e/core/test_python_venv_with_go_backend_deadlock_slow
@@ -4,6 +4,7 @@
 # a circular dependency during environment resolution while creating Python venv.
 # fixes https://github.com/jdx/mise/discussions/7059
 set -euo pipefail
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 
 cat >.mise.toml <<EOF
 [tools]
diff --git a/e2e/core/test_python_version_comments b/e2e/core/test_python_version_comments
@@ -2,6 +2,7 @@
 
 # Test that .python-version files with comments are parsed correctly
 export MISE_PYTHON_COMPILE=0
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 
 # Enable idiomatic version files for python
 mise settings set idiomatic_version_file_enable_tools python
diff --git a/e2e/lockfile/test_lockfile_python b/e2e/lockfile/test_lockfile_python
@@ -2,6 +2,7 @@
 
 # Test that core:python generates lockfile URLs from python-build-standalone
 export MISE_LOCKFILE=1
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 
 detect_platform
 
@@ -49,3 +50,77 @@ assert_fail "mise install python -f" "Checksum mismatch"
 rm -f mise.lock mise.toml
 
 echo "Python lockfile URL test passed!"
+
+echo "=== Testing provenance recorded in lockfile when enabled ==="
+export MISE_PYTHON_GITHUB_ATTESTATIONS=1
+
+cat <<EOF >mise.toml
+[tools]
+python = "3.13.5"
+EOF
+
+mise lock --platform "$MISE_PLATFORM"
+assert "test -f mise.lock"
+assert_contains "cat mise.lock" 'provenance = "github-attestations"'
+
+echo "Lockfile with provenance:"
+cat mise.lock
+
+rm -f mise.lock mise.toml
+unset MISE_PYTHON_GITHUB_ATTESTATIONS
+
+echo "Python provenance lockfile test passed!"
+
+echo "=== Testing provenance NOT recorded when disabled ==="
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
+export MISE_GITHUB_ATTESTATIONS=0
+
+cat <<EOF >mise.toml
+[tools]
+python = "3.13.5"
+EOF
+
+mise lock --platform "$MISE_PLATFORM"
+assert "test -f mise.lock"
+# provenance should not appear in lockfile when disabled
+assert_fail "grep -q 'provenance' mise.lock"
+
+rm -f mise.lock mise.toml
+unset MISE_PYTHON_GITHUB_ATTESTATIONS
+unset MISE_GITHUB_ATTESTATIONS
+
+echo "Python provenance disabled test passed!"
+
+echo "=== Testing provenance downgrade attack detection ==="
+cat <<EOF >mise.toml
+[tools]
+python = "3.13.5"
+EOF
+
+# Generate lockfile with all platforms (so the current platform is included)
+mise lock
+assert "test -f mise.lock"
+
+# Inject provenance into ALL platform sections (simulating a previously-verified install)
+awk '
+    /^provenance/ && in_section { next }
+    { print }
+    /^\[tools\.python\."platforms\./ { in_section=1; print "provenance = \"github-attestations\"" }
+    /^\[/ && !/^\[tools\.python\."platforms\./ { in_section=0 }
+' mise.lock >mise.lock.tmp && mv mise.lock.tmp mise.lock
+assert_contains "cat mise.lock" 'provenance = "github-attestations"'
+
+# Attempt install with provenance verification disabled.
+# The lockfile says provenance was verified, but settings are off,
+# so mise should refuse to install (downgrade/stripping attack).
+rm -rf "$MISE_DATA_DIR/installs/python"
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
+export MISE_GITHUB_ATTESTATIONS=0
+assert_fail_contains "mise install 2>&1" "downgrade attack"
+
+echo "=== Cleanup ==="
+unset MISE_PYTHON_GITHUB_ATTESTATIONS
+unset MISE_GITHUB_ATTESTATIONS
+rm -f mise.lock mise.toml
+
+echo "Python provenance downgrade attack test passed!"
diff --git a/e2e/sync/test_sync_python_uv b/e2e/sync/test_sync_python_uv
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 
+export MISE_PYTHON_GITHUB_ATTESTATIONS=0
 assert "mise use -g uv python@3.11.3"
 assert "mise x -- uv python install 3.11.1"
 export UV_PYTHON_DOWNLOADS=never
diff --git a/schema/mise.json b/schema/mise.json
@@ -1121,6 +1121,10 @@
               "description": "Path to a file containing default python packages to install when installing a python version.",
               "type": "string"
             },
+            "github_attestations": {
+              "description": "Enable GitHub Artifact Attestations verification for precompiled Python binaries.",
+              "type": "boolean"
+            },
             "patch_url": {
               "description": "URL to fetch python patches from to pass to python-build.",
               "type": "string"
diff --git a/settings.toml b/settings.toml
@@ -1392,6 +1392,18 @@ env = "MISE_PYTHON_DEFAULT_PACKAGES_FILE"
 optional = true
 type = "Path"
 
+[python.github_attestations]
+description = "Enable GitHub Artifact Attestations verification for precompiled Python binaries."
+docs = """
+Override the global `github_attestations` setting for Python precompiled binaries.
+When enabled, mise will verify the authenticity of precompiled Python binaries from astral-sh/python-build-standalone.
+
+Defaults to the global `github_attestations` setting if not specified.
+"""
+env = "MISE_PYTHON_GITHUB_ATTESTATIONS"
+optional = true
+type = "Bool"
+
 [python.patch_url]
 description = "URL to fetch python patches from to pass to python-build."
 env = "MISE_PYTHON_PATCH_URL"
diff --git a/src/plugins/core/python.rs b/src/plugins/core/python.rs
