{"id":6045,"library":"pyattest","title":"Pyattest","description":"Pyattest is a Python library that provides a common interface for verifying mobile app attestations from both Google and Apple. It offers a standalone solution, but for full Django integration, including key generation and storage, the companion `django-dreiattest` package is recommended. The library is currently at version 1.0.4 and has an infrequent release cadence, with updates typically including security fixes and dependency updates.","status":"active","version":"1.0.4","language":"en","source_language":"en","source_url":"https://github.com/dreipol/pyattest","tags":["attestation","security","google","apple","mobile","verification","jwt","integrity"],"install":[{"cmd":"pip install pyattest","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Provides full Django integration, including key generation and storage, for applications using Django. Pyattest itself works standalone.","package":"django-dreiattest","optional":true}],"imports":[{"symbol":"GoogleConfig","correct":"from pyattest import GoogleConfig"},{"symbol":"GooglePlayIntegrityApiConfig","correct":"from pyattest import GooglePlayIntegrityApiConfig"},{"symbol":"AppleConfig","correct":"from pyattest import AppleConfig"},{"symbol":"Attestation","correct":"from pyattest import Attestation"},{"symbol":"Assertion","correct":"from pyattest.assertion import Assertion"}],"quickstart":{"code":"import os\nfrom pyattest import GooglePlayIntegrityApiConfig, Attestation\n\n# These would typically come from secure environment variables or a key management system\ndecryption_key = os.environ.get('PYATTEST_DECRYPTION_KEY', 'YOUR_BASE64_DECRYPTION_KEY')\nverification_key = os.environ.get('PYATTEST_VERIFICATION_KEY', 'YOUR_BASE64_VERIFICATION_KEY')\n\n# Mock data for demonstration purposes\nmock_attest_jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'\nmock_nonce = 'sample-nonce-123'\nmock_apk_package_name = 'ch.dreipol.demo'\n\ntry:\n    config = GooglePlayIntegrityApiConfig(\n        decryption_key=decryption_key,\n        verification_key=verification_key,\n        apk_package_name=mock_apk_package_name,\n        production=True,\n        allow_non_play_distribution=False,\n        # verify_code_signature_hex must be provided if allow_non_play_distribution is True\n        # required_device_verdict=\"MEETS_STRONG_INTEGRITY\"\n    )\n\n    attestation = Attestation(\n        attest=mock_attest_jwt,\n        nonce=mock_nonce,\n        config=config\n    )\n\n    is_valid = attestation.verify() # This performs the actual verification\n    print(f\"Attestation is valid: {is_valid}\")\n\n    if is_valid:\n        # Once verified, you can access properties like device integrity, account details, etc.\n        # Example: print(attestation.parsed_data.deviceIntegrity.deviceRecognition.deviceVerdict)\n        print(\"Attestation successfully verified.\")\n    else:\n        print(\"Attestation verification failed.\")\n\nexcept Exception as e:\n    print(f\"An error occurred during attestation verification: {e}\")","lang":"python","description":"This quickstart demonstrates how to verify a Google Play Integrity API attestation using `pyattest`. It shows the setup of `GooglePlayIntegrityApiConfig` with necessary keys and package name, followed by creating an `Attestation` object and calling its `verify()` method. Ensure to replace placeholder keys and mock data with actual values from your application and secure environment variables."},"warnings":[{"fix":"Install `django-dreiattest` (if using Django) in addition to `pyattest` and follow its documentation for Django-specific setup: `pip install django-dreiattest`.","message":"For full integration with Django, including key generation and storage, users should install and configure the separate `django-dreiattest` library. `pyattest` provides the core attestation verification logic but does not handle Django-specific features like database models or admin integration directly.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Review your `GooglePlayIntegrityApiConfig` settings. For production, prioritize `production=True` and `allow_non_play_distribution=False`. If `allow_non_play_distribution=True` is required, always provide `verify_code_signature_hex`. For development, use `production=False`.","message":"When configuring the Google Play Integrity API, the `allow_non_play_distribution` parameter should generally be `False` for production builds to ensure app integrity. If set to `True`, `verify_code_signature_hex` becomes mandatory and must be the SHA-256 hash of your app's signing identity. Avoid using `allow_non_play_distribution=True` for development builds; instead, set `production=False`.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Always ensure the attestation has been successfully verified, typically by checking the boolean return value of `attestation.verify()`, before proceeding to process or rely on the attestation's data.","message":"It is crucial to call the `attestation.verify()` method and check its return value (or catch exceptions) *before* attempting to access any parsed data or assertion details from the `Attestation` object. Accessing data before successful verification can lead to errors or incorrect assumptions about the attestation's validity.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-14T00:00:00.000Z","next_check":"2026-07-13T00:00:00.000Z"}