requirements: bring in attestation deps

Signed-off-by: William Woodruff <william@trailofbits.com>
pypa · May 8, 2024 · 7c68271 · 7c68271
1 parent 94a70fb
commit 7c68271
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 5 deletions.
diff --git a/requirements/runtime.in b/requirements/runtime.in
@@ -3,10 +3,15 @@
 # See: https://github.com/pypa/twine/issues/1094
 twine @ git+https://github.com/pypa/twine@5d17a43dec622d6f4fc490937baad3db4b9a8e29
 
-# NOTE: Used to detect an ambient OIDC credential for OIDC publishing.
+# NOTE: Used to detect an ambient OIDC credential for OIDC publishing,
+# as well as PEP 740 attestations.
 id ~= 1.0
 
 # NOTE: This is pulled in transitively through `twine`, but we also declare
 # NOTE: it explicitly here because `oidc-exchange.py` uses it.
 # Ref: https://github.com/di/id
 requests
+
+# NOTE: Used to generate attestations.
+pypi-attestation-models == 0.0.1rc1
+sigstore ~= 3.0.0rc1
diff --git a/requirements/runtime.txt b/requirements/runtime.txt
@@ -6,16 +6,41 @@
 #
 annotated-types==0.6.0
     # via pydantic
+betterproto==2.0.0b6
+    # via sigstore-protobuf-specs
 certifi==2024.2.2
     # via requests
+cffi==1.16.0
+    # via cryptography
 charset-normalizer==3.3.2
     # via requests
+cryptography==42.0.7
+    # via
+    #   pyopenssl
+    #   pypi-attestation-models
+    #   sigstore
+dnspython==2.6.1
+    # via email-validator
 docutils==0.20.1
     # via readme-renderer
+email-validator==2.1.1
+    # via pydantic
+grpclib==0.4.7
+    # via betterproto
+h2==4.1.0
+    # via grpclib
+hpack==4.0.0
+    # via h2
+hyperframe==6.0.1
+    # via h2
 id==1.3.0
-    # via -r runtime.in
+    # via
+    #   -r runtime.in
+    #   sigstore
 idna==3.7
-    # via requests
+    # via
+    #   email-validator
+    #   requests
 importlib-metadata==7.0.2
     # via twine
 jaraco-classes==3.3.1
@@ -28,32 +53,70 @@ mdurl==0.1.2
     # via markdown-it-py
 more-itertools==10.2.0
     # via jaraco-classes
+multidict==6.0.5
+    # via grpclib
 nh3==0.2.15
     # via readme-renderer
 pkginfo==1.10.0
     # via twine
+platformdirs==4.2.1
+    # via sigstore
+pycparser==2.22
+    # via cffi
 pydantic==2.6.3
-    # via id
+    # via
+    #   id
+    #   pypi-attestation-models
+    #   sigstore
+    #   sigstore-rekor-types
 pydantic-core==2.16.3
     # via pydantic
 pygments==2.17.2
     # via
     #   readme-renderer
     #   rich
+pyjwt==2.8.0
+    # via sigstore
+pyopenssl==24.1.0
+    # via sigstore
+pypi-attestation-models==0.0.1rc1
+    # via -r runtime.in
+python-dateutil==2.9.0.post0
+    # via betterproto
 readme-renderer==43.0
     # via twine
 requests==2.31.0
     # via
     #   -r runtime.in
     #   id
     #   requests-toolbelt
+    #   sigstore
+    #   tuf
     #   twine
 requests-toolbelt==1.0.0
     # via twine
 rfc3986==2.0.0
     # via twine
+rfc8785==0.1.2
+    # via sigstore
 rich==13.7.1
-    # via twine
+    # via
+    #   sigstore
+    #   twine
+securesystemslib==0.31.0
+    # via tuf
+sigstore==3.0.0rc1
+    # via
+    #   -r runtime.in
+    #   pypi-attestation-models
+sigstore-protobuf-specs==0.3.1
+    # via sigstore
+sigstore-rekor-types==0.0.13
+    # via sigstore
+six==1.16.0
+    # via python-dateutil
+tuf==4.0.0
+    # via sigstore
 twine @ git+https://github.com/pypa/twine@5d17a43dec622d6f4fc490937baad3db4b9a8e29
     # via -r runtime.in
 typing-extensions==4.10.0