in-toto-attestation

0.9.3 verified Fri May 01 auth: no python

Python bindings for the in-toto Attestation Framework. This library provides models and serialization for creating, verifying, and bundling software attestations according to the in-toto specification (v1.0+). Current version is 0.9.3 on PyPI, but the library is under active development with GitHub releases up to v1.2.0. The PyPI package lags behind the specification releases; users should prefer the latest GitHub release for up-to-date functionality.

pip install in-toto-attestation

Common errors

error ModuleNotFoundError: No module named 'in_toto_attestation' ↓

cause Library not installed or installed but not in current Python path.

fix

pip install in-toto-attestation

error AttributeError: module 'in_toto_attestation' has no attribute 'Statement' ↓

cause Trying to import Statement from top-level module instead of v1 submodule.

fix

Use: from in_toto_attestation.v1 import Statement

error TypeError: Object of type Statement is not JSON serializable ↓

cause Trying to json.dumps() the object directly without converting to dict.

fix

Use json.dumps(stmt.to_dict())

error AttributeError: 'Statement' object has no attribute 'to_json' ↓

cause Old code expecting a to_json method that does not exist in current version.

fix

Use stmt.to_dict() and then json.dumps(...).

Warnings

gotcha PyPI package (0.9.3) is outdated and does not include v1.1+ features like the Bundle type or newer predicate types. Always check if the GitHub release is newer and install from source if needed. ↓

fix Install from GitHub: pip install git+https://github.com/in-toto/attestation.git@v1.2.0

breaking In v1.0.0, the API changed significantly from older 0.x versions. The whole module structure moved under in_toto_attestation.v1. Old imports from in_toto_attestation directly will break. ↓

fix Use from in_toto_attestation.v1 import Statement (and other classes).

deprecated The 'DigestSet' field type is now generalized to 'DigestSet' supporting any immutable identifier (not just cryptographic). Existing code using DigestSet with only cryptographic digests remains compatible but may need to update validation logic. ↓

fix Update DigestSet usage to accept non-cryptographic digests if needed.

gotcha Serialization to JSON uses to_dict() method, not .json() or .serialize(). Always call to_dict() before json.dumps(). ↓

fix Use stmt.to_dict() then json.dumps(...).

Install

pip install git+https://github.com/in-toto/attestation.git@v1.2.0

Imports

Statement

wrong

from in_toto_attestation import Statement

correct

from in_toto_attestation.v1 import Statement

v0.9.3 only exports v1 submodule; top-level import does not exist.

ResourceDescriptor

from in_toto_attestation.v1.resource_descriptor import ResourceDescriptor

Attestation

wrong

from in_toto_attestation import Attestation

correct

from in_toto_attestation.v1.attestation import Attestation

Attestation class is inside v1 module.

Bundle

from in_toto_attestation.v1.bundle import Bundle

Quickstart

Create a simple in-toto Statement and serialize it to JSON.

from in_toto_attestation.v1 import Statement
from in_toto_attestation.v1.attestation import Attestation
from in_toto_attestation.v1.resource_descriptor import ResourceDescriptor
import json

sub = ResourceDescriptor(name='example', digest={'sha256': 'abc123'})
stmt = Statement(subject=[sub], predicate_type='https://example.com/predicate/v1')
print(json.dumps(stmt.to_dict(), indent=2))