{"id":23883,"library":"in-toto-attestation","title":"in-toto-attestation","description":"Python bindings for the in-toto Attestation Framework. This library provides models and serialization for creating, verifying, and bundling software attestations according to the in-toto specification (v1.0+). Current version is 0.9.3 on PyPI, but the library is under active development with GitHub releases up to v1.2.0. The PyPI package lags behind the specification releases; users should prefer the latest GitHub release for up-to-date functionality.","status":"active","version":"0.9.3","language":"python","source_language":"en","source_url":"https://github.com/in-toto/attestation","tags":["in-toto","attestation","supply-chain","security","provenance","slsa"],"install":[{"cmd":"pip install in-toto-attestation","lang":"bash","label":"pip install"},{"cmd":"pip install git+https://github.com/in-toto/attestation.git@v1.2.0","lang":"bash","label":"install from GitHub"}],"dependencies":[],"imports":[{"note":"v0.9.3 only exports v1 submodule; top-level import does not exist.","wrong":"from in_toto_attestation import Statement","symbol":"Statement","correct":"from in_toto_attestation.v1 import Statement"},{"note":"","wrong":null,"symbol":"ResourceDescriptor","correct":"from in_toto_attestation.v1.resource_descriptor import ResourceDescriptor"},{"note":"Attestation class is inside v1 module.","wrong":"from in_toto_attestation import Attestation","symbol":"Attestation","correct":"from in_toto_attestation.v1.attestation import Attestation"},{"note":"","wrong":null,"symbol":"Bundle","correct":"from in_toto_attestation.v1.bundle import Bundle"}],"quickstart":{"code":"from in_toto_attestation.v1 import Statement\nfrom in_toto_attestation.v1.attestation import Attestation\nfrom in_toto_attestation.v1.resource_descriptor import ResourceDescriptor\nimport json\n\nsub = ResourceDescriptor(name='example', digest={'sha256': 'abc123'})\nstmt = Statement(subject=[sub], predicate_type='https://example.com/predicate/v1')\nprint(json.dumps(stmt.to_dict(), indent=2))","lang":"python","description":"Create a simple in-toto Statement and serialize it to JSON."},"warnings":[{"fix":"Install from GitHub: pip install git+https://github.com/in-toto/attestation.git@v1.2.0","message":"PyPI package (0.9.3) is outdated and does not include v1.1+ features like the Bundle type or newer predicate types. Always check if the GitHub release is newer and install from source if needed.","severity":"gotcha","affected_versions":"<=0.9.3"},{"fix":"Use from in_toto_attestation.v1 import Statement (and other classes).","message":"In v1.0.0, the API changed significantly from older 0.x versions. The whole module structure moved under in_toto_attestation.v1. Old imports from in_toto_attestation directly will break.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Update DigestSet usage to accept non-cryptographic digests if needed.","message":"The 'DigestSet' field type is now generalized to 'DigestSet' supporting any immutable identifier (not just cryptographic). Existing code using DigestSet with only cryptographic digests remains compatible but may need to update validation logic.","severity":"deprecated","affected_versions":"<1.1.0"},{"fix":"Use stmt.to_dict() then json.dumps(...).","message":"Serialization to JSON uses to_dict() method, not .json() or .serialize(). Always call to_dict() before json.dumps().","severity":"gotcha","affected_versions":">=0.9.3"}],"env_vars":null,"last_verified":"2026-05-01T00:00:00.000Z","next_check":"2026-07-30T00:00:00.000Z","problems":[{"fix":"pip install in-toto-attestation","cause":"Library not installed or installed but not in current Python path.","error":"ModuleNotFoundError: No module named 'in_toto_attestation'"},{"fix":"Use: from in_toto_attestation.v1 import Statement","cause":"Trying to import Statement from top-level module instead of v1 submodule.","error":"AttributeError: module 'in_toto_attestation' has no attribute 'Statement'"},{"fix":"Use json.dumps(stmt.to_dict())","cause":"Trying to json.dumps() the object directly without converting to dict.","error":"TypeError: Object of type Statement is not JSON serializable"},{"fix":"Use stmt.to_dict() and then json.dumps(...).","cause":"Old code expecting a to_json method that does not exist in current version.","error":"AttributeError: 'Statement' object has no attribute 'to_json'"}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}