feat(python): add GitHub provenance verification for prebuilt binaries#8820
Merged
feat(python): add GitHub provenance verification for prebuilt binaries#8820
Conversation
Add a per-language override for the global github_attestations setting, allowing users to control GitHub Artifact Attestations verification specifically for precompiled Python binaries from astral-sh/python-build-standalone. Assisted-By: claude-opus-4.6 via OpenCode
Add detect_precompiled_provenance() that checks the python.github_attestations setting (falling back to the global github_attestations setting) and returns GithubAttestations provenance type when enabled. Wire this into resolve_lock_info so that `mise lock` records provenance metadata for precompiled Python binaries. Assisted-By: claude-opus-4.6 via OpenCode
…stall time Add verify_github_artifact_attestations() that checks precompiled Python binaries against GitHub Artifact Attestations using the sigstore verification crate, with owner/repo hardcoded to astral-sh/python-build-standalone. In install_precompiled, add the full provenance lifecycle between download and extraction: take the lockfile provenance expectation, verify attestations, record the result, and enforce that the lockfile expectation is met (detecting provenance downgrade attacks). Also adds verify_checksum call and URL recording in lock_platforms for checksum verification support (same pattern as PR 1, duplicated here since this branch is based off main). Assisted-By: claude-opus-4.6 via OpenCode
… protection Add tests that verify: - Provenance is recorded in lockfile when github_attestations is enabled - Provenance is NOT recorded when github_attestations is disabled - Downgrade attack is detected when lockfile has provenance but verification is disabled at install time Assisted-By: claude-opus-4.6 via OpenCode
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request implements GitHub artifact attestation verification for precompiled Python binaries. Key changes include adding a github_attestations setting to the Python tool configuration, updating the Python plugin to perform verification during installation, and recording provenance in the lockfile to prevent downgrade attacks. Comprehensive E2E tests were also added to verify these behaviors. Feedback suggests refactoring the logic for checking if attestations are enabled into a helper function to eliminate code duplication between the detection and verification methods.
Contributor
Greptile SummaryThis PR adds GitHub Artifact Attestations support for precompiled Python binaries from Key changes:
Minor gaps: downgrade protection is not enforced when Confidence Score: 4/5Safe to merge with minor open questions around the compile=true bypass and security_info accuracy All findings are P2 edge-case concerns. The core verification flow, lockfile recording, and downgrade protection for the primary use case are correct. Prior P1 concern about missing security_info was already fixed. src/plugins/core/python.rs — install_version_ branching and detect_precompiled_provenance logic Important Files Changed
Sequence DiagramsequenceDiagram
participant User
participant mise as mise install
participant Lock as Lockfile
participant PBS as python-build-standalone
participant Sigstore
User->>mise: mise install python@3.13.5
mise->>Lock: read lock_platforms[platform].provenance
Note over mise,Lock: locked_provenance = Some("github-attestations") or None
mise->>PBS: download tarball
PBS-->>mise: cpython-3.13.5-*.tar.gz
mise->>mise: verify_checksum (SHA256SUMS)
alt github_attestations enabled
mise->>Sigstore: verify_github_attestation(tarball, "astral-sh", "python-build-standalone")
Sigstore-->>mise: Ok(true)
mise->>Lock: set pi.provenance = GithubAttestations
else attestations disabled
mise->>mise: verified = false
end
alt locked_provenance is Some AND verified == false
mise-->>User: Error: downgrade attack detected
else provenance matches or no provenance in lockfile
mise->>mise: untar + sysconfig patch
mise-->>User: python@3.13.5 installed
end
Reviews (4): Last reviewed commit: "fix(python): guard detect_precompiled_pr..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
…e duplication The logic to check whether GitHub attestations are enabled was duplicated in detect_precompiled_provenance() and verify_github_artifact_attestations(). Extract it into a static helper method for reuse. Assisted-By: claude-opus-4.6 via OpenCode
…rting PythonPlugin was missing a security_info() override, so `mise tool python` would not report GitHub Attestations as a security feature even when enabled. Add the override, mirroring the existing RubyPlugin implementation. Assisted-By: claude-opus-4.6 via OpenCode
Assisted-By: claude-opus-4.6 via OpenCode
…Python versions Older Python versions in astral-sh/python-build-standalone (e.g., 3.12.3, 3.12.0, 3.11.3) do not have GitHub artifact attestations. Since github_attestations defaults to true, all e2e tests installing these versions fail with "No GitHub artifact attestations found". Add MISE_PYTHON_GITHUB_ATTESTATIONS=0 to 14 e2e tests across Linux (bash) and Windows (PowerShell Pester) that install older precompiled Python versions not covered by attestations. Assisted-By: claude-opus-4.6 via opencode
Add a dedicated e2e test that validates Python precompiled binary attestation verification works end-to-end, analogous to the existing test_aqua_github_attestations test. Uses Python 3.13.5 which has known-good attestations in python-build-standalone. Assisted-By: claude-opus-4.6 via opencode
When python.compile=true, detect_precompiled_provenance() was still returning GithubAttestations provenance, causing mise lock to record provenance metadata that would never be verified at install time (since the compiled path skips attestation verification entirely). Add the same cfg!(windows) || compile != Some(true) guard used by install_version_ and security_info. Also simplify security_info to delegate to detect_precompiled_provenance instead of duplicating the precompiled + attestations-enabled logic. Assisted-By: claude-opus-4.6 via opencode
mise-en-dev
added a commit
that referenced
this pull request
Mar 31, 2026
### 🚀 Features - **(python)** add GitHub provenance verification for prebuilt binaries by @malept in [#8820](#8820) ### 🐛 Bug Fixes - **(ci)** use rustls-native-roots for Windows CI build by @jdx in [#8822](#8822) - **(go)** improve version fetching logic to support deeply nested sub-modules by @roele in [#8823](#8823) - **(shim)** prevent infinite recursion when system shims dir is on PATH by @andrewthauer in [#8816](#8816) - go backend missing supports_lockfile_url() override by @palootcenas-outreach in [#8790](#8790) - strip shims from PATH in credential and template subprocesses by @antonioacg in [#8802](#8802) ### 📚 Documentation - fix typo in shims documentation for fish by @roele in [#8798](#8798) ### 📦️ Dependency Updates - update ghcr.io/jdx/mise:alpine docker digest to 3e6d001 by @renovate[bot] in [#8794](#8794) - pin dependencies by @renovate[bot] in [#8793](#8793) ### 📦 Registry - fix flutter version sorting by @roele in [#8818](#8818) - add svgo (npm:svgo) by @3w36zj6 in [#8817](#8817) ### New Contributors - @antonioacg made their first contribution in [#8802](#8802) - @palootcenas-outreach made their first contribution in [#8790](#8790) ## 📦 Aqua Registry Updates #### New Packages (3) - [`RasKrebs/sonar`](https://github.com/RasKrebs/sonar) - [`emacs-eask/cli`](https://github.com/emacs-eask/cli) - [`superradcompany/microsandbox`](https://github.com/superradcompany/microsandbox) #### Updated Packages (4) - [`dimo414/bkt`](https://github.com/dimo414/bkt) - [`lxc/incus`](https://github.com/lxc/incus) - [`shinagawa-web/gomarklint`](https://github.com/shinagawa-web/gomarklint) - [`updatecli/updatecli`](https://github.com/updatecli/updatecli)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Precompiled Python binaries from
astral-sh/python-build-standalonelack provenance verification. Unlike Ruby (which already supports GitHub Artifact Attestations), Python installs have no mechanism to verify that downloaded binaries were actually produced by the expected CI workflow in the expected repository.Additionally, there is no downgrade protection: if a lockfile records that provenance was previously verified, nothing prevents an attacker from stripping that metadata and serving unverified binaries.
Solution
Add GitHub Artifact Attestations support for precompiled Python binaries, following the same pattern already established for Ruby:
New setting:
python.github_attestations(env:MISE_PYTHON_GITHUB_ATTESTATIONS) overrides the globalgithub_attestationssetting specifically for Python. Defaults to the global value (which istrue).Lockfile provenance recording:
mise locknow recordsprovenance = "github-attestations"in Python platform entries when the setting is enabled.Install-time verification:
mise installverifies downloaded tarballs against GitHub Artifact Attestations using the sigstore verification crate, with owner/repo hardcoded toastral-sh/python-build-standalone.Downgrade protection: If the lockfile records provenance but verification is disabled at install time, the install fails with a "downgrade attack" error, preventing provenance stripping attacks.
Test plan
mise run test:e2e test_lockfile_python— all tests passmise run buildandmise run lintpass🤖 Generated with the assistance of OpenCode (claude-opus-4.6).