pulp-python 3.21.0__tar.gz → 3.22.1__tar.gz

{pulp_python-3.21.0 → pulp_python-3.22.1}/CHANGES.md

@@ -8,6 +8,29 @@
 
 [//]: # (towncrier release notes start)
 
+## 3.22.1 (2025-12-10) {: #3.22.1 }
+
+#### Bugfixes {: #3.22.1-bugfix }
+
+- Fixed edge-case migration error in 0017_pythonpackagecontent_size.
+  [#1042](https://github.com/pulp/pulp_python/issues/1042)
+
+---
+
+## 3.22.0 (2025-12-09) {: #3.22.0 }
+
+#### Features {: #3.22.0-feature }
+
+- Added attestations field to package upload that will create a PEP 740 Provenance object for that content.
+  [#984](https://github.com/pulp/pulp_python/issues/984)
+- Added the ability to upload PEP 740 Provenance files to repositories.
+
+#### Bugfixes {: #3.22.0-bugfix }
+
+- Added some sanity validation checks to twine upload endpoint.
+
+---
+
 ## 3.21.0 (2025-11-18) {: #3.21.0 }
 
 #### Features {: #3.21.0-feature }
@@ -26,6 +49,15 @@
 
 ---
 
+## 3.20.1 (2025-11-18) {: #3.20.1 }
+
+#### Bugfixes {: #3.20.1-bugfix }
+
+- Fixed pull-through caching not checking the repository if package was not present on remote.
+  [#1004](https://github.com/pulp/pulp_python/issues/1004)
+
+---
+
 ## 3.20.0 (2025-11-07) {: #3.20.0 }
 
 #### Features {: #3.20.0-feature }
@@ -214,6 +246,12 @@ No significant changes.
 
 ---
 
+## 3.12.8 (2025-11-18) {: #3.12.8 }
+
+No significant changes.
+
+---
+
 ## 3.12.7 (2025-07-23) {: #3.12.7 }
 
 No significant changes.
@@ -300,6 +338,12 @@ No significant changes.
 
 ---
 
+## 3.11.7 (2025-11-18) {: #3.11.7 }
+
+No significant changes.
+
+---
+
 ## 3.11.6 (2025-07-23) {: #3.11.6 }
 
 No significant changes.
@@ -364,6 +408,12 @@ No significant changes.
 
 ---
 
+## 3.10.2 (2025-11-18) {: #3.10.2 }
+
+No significant changes
+
+---
+
 ## 3.10.1 (2025-07-23) {: #3.10.1 }
 
 ### Bugfixes

{pulp_python-3.21.0 → pulp_python-3.22.1}/MANIFEST.in

@@ -9,4 +9,5 @@ include functest_requirements.txt
 include test_requirements.txt
 include unittest_requirements.txt
 include pulp_python/app/webserver_snippets/*
+include pulp_python/tests/functional/assets/*
 exclude releasing.md

{pulp_python-3.21.0 → pulp_python-3.22.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.21.0
+Version: 3.22.1
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org
@@ -23,7 +23,8 @@ License-File: LICENSE
 Requires-Dist: pulpcore<3.100,>=3.85.3
 Requires-Dist: pkginfo<1.13.0,>=1.12.0
 Requires-Dist: bandersnatch<6.7,>=6.6.0
-Requires-Dist: pypi-simple<2.0,>=1.5.0
+Requires-Dist: pypi-simple<2.0,>=1.8.0
+Requires-Dist: pypi-attestations==0.0.28
 Dynamic: license-file
 
 # pulp_python

{pulp_python-3.21.0 → pulp_python-3.22.1}/pulp_python/app/__init__.py

@@ -10,7 +10,7 @@ class PulpPythonPluginAppConfig(PulpPluginAppConfig):
 
     name = "pulp_python.app"
     label = "python"
-    version = "3.21.0"
+    version = "3.22.1"
     python_package_name = "pulp-python"
     domain_compatible = True
 

{pulp_python-3.21.0 → pulp_python-3.22.1}/pulp_python/app/migrations/0017_pythonpackagecontent_size.py

@@ -14,7 +14,7 @@ def add_size_to_current_models(apps, schema_editor):
             artifact = content_artifact.artifact
         else:
             artifact = RemoteArtifact.objects.filter(content_artifact=content_artifact).first()
-        python_package.size = artifact.size or 0
+        python_package.size = artifact and artifact.size or 0
         package_bulk.append(python_package)
         if len(package_bulk) == 100000:
             with transaction.atomic():

pulp_python-3.22.1/pulp_python/app/migrations/0018_packageprovenance.py

@@ -0,0 +1,59 @@
+# Generated by Django 4.2.26 on 2025-12-01 19:49
+
+from django.db import migrations, models
+import django.db.models.deletion
+import pulpcore.app.util
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0017_pythonpackagecontent_size"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="PackageProvenance",
+            fields=[
+                (
+                    "content_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="core.content",
+                    ),
+                ),
+                ("provenance", models.JSONField()),
+                ("sha256", models.CharField(max_length=64)),
+                (
+                    "_pulp_domain",
+                    models.ForeignKey(
+                        default=pulpcore.app.util.get_domain_pk,
+                        on_delete=django.db.models.deletion.PROTECT,
+                        to="core.domain",
+                    ),
+                ),
+                (
+                    "package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="provenances",
+                        to="python.pythonpackagecontent",
+                    ),
+                ),
+            ],
+            options={
+                "default_related_name": "%(app_label)s_%(model_name)s",
+                "unique_together": {("sha256", "_pulp_domain")},
+            },
+            bases=("core.content",),
+        ),
+        migrations.AddField(
+            model_name="pythonremote",
+            name="provenance",
+            field=models.BooleanField(default=False),
+        ),
+    ]

{pulp_python-3.21.0 → pulp_python-3.22.1}/pulp_python/app/models.py

@@ -1,3 +1,5 @@
+import hashlib
+import json
 from logging import getLogger
 
 from aiohttp.web import json_response
@@ -5,6 +7,10 @@ from django.contrib.postgres.fields import ArrayField
 from django.core.exceptions import ObjectDoesNotExist
 from django.db import models
 from django.conf import settings
+from django_lifecycle import (
+    BEFORE_SAVE,
+    hook,
+)
 from pulpcore.plugin.models import (
     AutoAddObjPermsMixin,
     Content,
@@ -16,6 +22,7 @@ from pulpcore.plugin.models import (
 from pulpcore.plugin.responses import ArtifactResponse
 
 from pathlib import PurePath
+from .provenance import Provenance
 from .utils import (
     artifact_to_python_content_data,
     canonicalize_name,
@@ -235,6 +242,43 @@ class PythonPackageContent(Content):
         ]
 
 
+class PackageProvenance(Content):
+    """
+    PEP 740 provenance objects.
+    """
+
+    TYPE = "provenance"
+    repo_key_fields = ("package_id",)
+
+    package = models.ForeignKey(
+        PythonPackageContent, on_delete=models.CASCADE, related_name="provenances"
+    )
+    provenance = models.JSONField(null=False)
+    sha256 = models.CharField(max_length=64, null=False)
+
+    _pulp_domain = models.ForeignKey("core.Domain", default=get_domain_pk, on_delete=models.PROTECT)
+
+    @staticmethod
+    def calculate_sha256(provenance):
+        """Calculates the sha256 from the provenance."""
+        provenance_json = json.dumps(provenance, sort_keys=True).encode("utf-8")
+        hasher = hashlib.sha256(provenance_json)
+        return hasher.hexdigest()
+
+    @hook(BEFORE_SAVE)
+    def set_sha256_hook(self):
+        """Ensure that sha256 is set before saving."""
+        self.sha256 = self.calculate_sha256(self.provenance)
+
+    @property
+    def as_model(self):
+        return Provenance.model_validate(self.provenance)
+
+    class Meta:
+        default_related_name = "%(app_label)s_%(model_name)s"
+        unique_together = ("sha256", "_pulp_domain")
+
+
 class PythonPublication(Publication, AutoAddObjPermsMixin):
     """
     A Publication for PythonContent.
@@ -270,6 +314,7 @@ class PythonRemote(Remote, AutoAddObjPermsMixin):
     exclude_platforms = ArrayField(
         models.CharField(max_length=10, blank=True), choices=PLATFORMS, default=list
     )
+    provenance = models.BooleanField(default=False)
 
     def get_remote_artifact_url(self, relative_path=None, request=None):
         """Get url for remote_artifact"""
@@ -295,7 +340,7 @@ class PythonRepository(Repository, AutoAddObjPermsMixin):
     """
 
     TYPE = "python"
-    CONTENT_TYPES = [PythonPackageContent]
+    CONTENT_TYPES = [PythonPackageContent, PackageProvenance]
     REMOTE_TYPES = [PythonRemote]
     PULL_THROUGH_SUPPORTED = True
 

pulp_python-3.22.1/pulp_python/app/provenance.py

@@ -0,0 +1,71 @@
+from typing import Annotated, Literal, Union, get_args
+
+from pydantic import BaseModel, ConfigDict, Field
+from pydantic.alias_generators import to_snake
+from pypi_attestations import (
+    Attestation,
+    Distribution,
+    Publisher,
+)
+
+
+class _PermissivePolicy:
+    """A permissive verification policy that always succeeds."""
+
+    def verify(self, cert):
+        """Succeed regardless of the publisher's identity."""
+        pass
+
+
+class AnyPublisher(BaseModel):
+    """A fallback publisher for any kind not matching other publisher types."""
+
+    model_config = ConfigDict(alias_generator=to_snake, extra="allow")
+
+    kind: str
+
+    def _as_policy(self):
+        """Return a permissive policy that always succeed."""
+        return _PermissivePolicy()
+
+
+# Get the underlying Union type of the original Publisher
+# Publisher is Annotated[Union[...], Field(discriminator="kind")]
+_OriginalPublisherTypes = get_args(Publisher.__origin__)
+# Add AnyPublisher to the list of original publisher types
+_ExtendedPublisherTypes = (*_OriginalPublisherTypes, AnyPublisher)
+_ExtendedPublisherUnion = Union[_ExtendedPublisherTypes]
+# Create a new type that fallbacks to AnyPublisher
+ExtendedPublisher = Annotated[_ExtendedPublisherUnion, Field(union_mode="left_to_right")]
+
+
+class AttestationBundle(BaseModel):
+    """
+    AttestationBundle object as defined in PEP740.
+
+    PyPI only accepts attestations from TrustedPublishers (GitHub, GitLab, Google), but we will
+    accept from any user.
+    """
+
+    publisher: ExtendedPublisher
+    attestations: list[Attestation]
+
+
+class Provenance(BaseModel):
+    """Provenance object as defined in PEP740."""
+
+    version: Literal[1] = 1
+    attestation_bundles: list[AttestationBundle]
+
+
+def verify_provenance(filename, sha256, provenance, offline=False):
+    """Verify the provenance object is valid for the package."""
+    dist = Distribution(name=filename, digest=sha256)
+    for bundle in provenance.attestation_bundles:
+        publisher = bundle.publisher
+        policy = publisher._as_policy()
+        for attestation in bundle.attestations:
+            sig_bundle = attestation.to_bundle()
+            checkpoint = sig_bundle.log_entry._inner.inclusion_proof.checkpoint
+            staging = "sigstage.dev" in checkpoint.envelope
+            attestation.verify(policy, dist, staging=staging, offline=offline)

{pulp_python-3.21.0 → pulp_python-3.22.1}/pulp_python/app/pypi/serializers.py

@@ -2,7 +2,9 @@ import logging
 from gettext import gettext as _
 
 from rest_framework import serializers
-from pulp_python.app.utils import DIST_EXTENSIONS
+from pydantic import TypeAdapter, ValidationError
+from pulp_python.app.provenance import Attestation
+from pulp_python.app.utils import DIST_EXTENSIONS, SUPPORTED_METADATA_VERSIONS
 from pulpcore.plugin.models import Artifact
 from pulpcore.plugin.util import get_domain
 from django.db.utils import IntegrityError
@@ -54,6 +56,27 @@ class PackageUploadSerializer(serializers.Serializer):
         min_length=64,
         max_length=64,
     )
+    protocol_version = serializers.ChoiceField(
+        help_text=_("Protocol version to use for the upload. Only version 1 is supported."),
+        required=False,
+        choices=(1,),
+        default=1,
+    )
+    filetype = serializers.ChoiceField(
+        help_text=_("Type of artifact to upload."),
+        required=False,
+        choices=("bdist_wheel", "sdist"),
+    )
+    metadata_version = serializers.ChoiceField(
+        help_text=_("Metadata version of the uploaded package."),
+        required=False,
+        choices=SUPPORTED_METADATA_VERSIONS,
+    )
+    attestations = serializers.JSONField(
+        required=False,
+        help_text=_("A JSON list containing attestations for the package."),
+        write_only=True,
+    )
 
     def validate(self, data):
         """Validates the request."""
@@ -63,14 +86,33 @@ class PackageUploadSerializer(serializers.Serializer):
         file = data.get("content")
         for ext, packagetype in DIST_EXTENSIONS.items():
             if file.name.endswith(ext):
+                if (filetype := data.get("filetype")) and filetype != packagetype:
+                    raise serializers.ValidationError(
+                        {
+                            "filetype": _(
+                                "filetype {} does not match found filetype {} for file {}"
+                            ).format(filetype, packagetype, file.name)
+                        }
+                    )
                 break
         else:
             raise serializers.ValidationError(
-                _(
-                    "Extension on {} is not a valid python extension "
-                    "(.whl, .exe, .egg, .tar.gz, .tar.bz2, .zip)"
-                ).format(file.name)
+                {
+                    "content": _(
+                        "Extension on {} is not a valid python extension "
+                        "(.whl, .exe, .egg, .tar.gz, .tar.bz2, .zip)"
+                    ).format(file.name)
+                }
             )
+
+        if attestations := data.get("attestations"):
+            try:
+                attestations = TypeAdapter(list[Attestation]).validate_python(attestations)
+            except ValidationError as e:
+                raise serializers.ValidationError(
+                    {"attestations": _("The uploaded attestations are not valid: {}".format(e))}
+                )
+
         sha256 = data.get("sha256_digest")
         digests = {"sha256": sha256} if sha256 else None
         artifact = Artifact.init_and_validate(file, expected_digests=digests)

{pulp_python-3.21.0 → pulp_python-3.22.1}/pulp_python/app/pypi/views.py

@@ -1,7 +1,5 @@
-import json
 import logging
 
-from aiohttp.client_exceptions import ClientError
 from rest_framework.viewsets import ViewSet
 from rest_framework.renderers import BrowsableAPIRenderer, JSONRenderer, TemplateHTMLRenderer
 from rest_framework.response import Response
@@ -27,16 +25,15 @@ from itertools import chain
 from packaging.utils import canonicalize_name
 from urllib.parse import urljoin, urlparse, urlunsplit
 from pathlib import PurePath
-from pypi_simple import ACCEPT_JSON_PREFERRED, ProjectPage
 
 from pulpcore.plugin.viewsets import OperationPostponedResponse
 from pulpcore.plugin.tasking import dispatch
 from pulpcore.plugin.util import get_domain, get_url
-from pulpcore.plugin.exceptions import TimeoutException
 from pulp_python.app.models import (
     PythonDistribution,
     PythonPackageContent,
     PythonPublication,
+    PackageProvenance,
 )
 from pulp_python.app.pypi.serializers import (
     SummarySerializer,
@@ -53,6 +50,7 @@ from pulp_python.app.utils import (
     PYPI_LAST_SERIAL,
     PYPI_SERIAL_CONSTANT,
     get_remote_package_filter,
+    get_remote_simple_page,
 )
 
 from pulp_python.app import tasks
@@ -61,6 +59,7 @@ log = logging.getLogger(__name__)
 
 ORIGIN_HOST = settings.CONTENT_ORIGIN if settings.CONTENT_ORIGIN else settings.PYPI_API_HOSTNAME
 BASE_CONTENT_URL = urljoin(ORIGIN_HOST, settings.CONTENT_PATH_PREFIX)
+BASE_API_URL = urljoin(settings.PYPI_API_HOSTNAME, "pypi/")
 
 PYPI_SIMPLE_V1_HTML = "application/vnd.pypi.simple.v1+html"
 PYPI_SIMPLE_V1_JSON = "application/vnd.pypi.simple.v1+json"
@@ -120,6 +119,11 @@ class PyPIMixin:
         """Returns queryset of the content in this repository version."""
         return PythonPackageContent.objects.filter(pk__in=repository_version.content)
 
+    @staticmethod
+    def get_provenances(repository_version):
+        """Returns queryset of the provenance for this repository version."""
+        return PackageProvenance.objects.filter(pk__in=repository_version.content)
+
     def should_redirect(self, repo_version=None):
         """Checks if there is a publication the content app can serve."""
         if self.distribution.publication:
@@ -139,10 +143,13 @@ class PyPIMixin:
     def initial(self, request, *args, **kwargs):
         """Perform common initialization tasks for PyPI endpoints."""
         super().initial(request, *args, **kwargs)
+        domain_name = get_domain().name
         if settings.DOMAIN_ENABLED:
-            self.base_content_url = urljoin(BASE_CONTENT_URL, f"{get_domain().name}/")
+            self.base_content_url = urljoin(BASE_CONTENT_URL, f"{domain_name}/")
+            self.base_api_url = urljoin(BASE_API_URL, f"{domain_name}/")
         else:
             self.base_content_url = BASE_CONTENT_URL
+            self.base_api_url = BASE_API_URL
 
     @classmethod
     def urlpattern(cls):
@@ -174,12 +181,15 @@ class PackageUploadMixin(PyPIMixin):
         serializer = PackageUploadSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
         artifact, filename = serializer.validated_data["content"]
+        attestations = serializer.validated_data.get("attestations", None)
         repo_content = self.get_content(self.get_repository_version(self.distribution))
         if repo_content.filter(filename=filename).exists():
             return HttpResponseBadRequest(reason=f"Package {filename} already exists in index")
 
         if settings.PYTHON_GROUP_UPLOADS:
-            return self.upload_package_group(repo, artifact, filename, request.session)
+            return self.upload_package_group(
+                repo, artifact, filename, attestations, request.session
+            )
 
         result = dispatch(
             tasks.upload,
@@ -187,17 +197,20 @@ class PackageUploadMixin(PyPIMixin):
             kwargs={
                 "artifact_sha256": artifact.sha256,
                 "filename": filename,
+                "attestations": attestations,
                 "repository_pk": str(repo.pk),
             },
         )
         return OperationPostponedResponse(result, request)
 
-    def upload_package_group(self, repo, artifact, filename, session):
+    def upload_package_group(self, repo, artifact, filename, attestations, session):
         """Steps 4 & 5, spawns tasks to add packages to index."""
         start_time = datetime.now(tz=timezone.utc) + timedelta(seconds=5)
         task = "updated"
         if not session.get("start"):
-            task = self.create_group_upload_task(session, repo, artifact, filename, start_time)
+            task = self.create_group_upload_task(
+                session, repo, artifact, filename, attestations, start_time
+            )
         else:
             sq = Session.objects.select_for_update(nowait=True).filter(pk=session.session_key)
             try:
@@ -205,7 +218,7 @@ class PackageUploadMixin(PyPIMixin):
                     sq.first()
                     current_start = datetime.fromisoformat(session["start"])
                     if current_start >= datetime.now(tz=timezone.utc):
-                        session["artifacts"].append((str(artifact.sha256), filename))
+                        session["artifacts"].append((str(artifact.sha256), filename, attestations))
                         session["start"] = str(start_time)
                         session.modified = False
                         session.save()
@@ -213,14 +226,18 @@ class PackageUploadMixin(PyPIMixin):
                         raise DatabaseError
             except DatabaseError:
                 session.cycle_key()
-                task = self.create_group_upload_task(session, repo, artifact, filename, start_time)
+                task = self.create_group_upload_task(
+                    session, repo, artifact, filename, attestations, start_time
+                )
         data = {"session": session.session_key, "task": task, "task_start_time": start_time}
         return Response(data=data)
 
-    def create_group_upload_task(self, cur_session, repository, artifact, filename, start_time):
+    def create_group_upload_task(
+        self, cur_session, repository, artifact, filename, attestations, start_time
+    ):
         """Creates the actual task that adds the packages to the index."""
         cur_session["start"] = str(start_time)
-        cur_session["artifacts"] = [(str(artifact.sha256), filename)]
+        cur_session["artifacts"] = [(str(artifact.sha256), filename, attestations)]
         cur_session.modified = False
         cur_session.save()
         task = dispatch(
@@ -273,6 +290,13 @@ class SimpleView(PackageUploadMixin, ViewSet):
         else:
             return [JSONRenderer(), BrowsableAPIRenderer()]
 
+    def get_provenance_url(self, package, version, filename):
+        """Gets the provenance url for a package."""
+        base_path = self.distribution.base_path
+        return urljoin(
+            self.base_api_url, f"{base_path}/integrity/{package}/{version}/{filename}/provenance/"
+        )
+
     @extend_schema(summary="Get index simple page")
     def list(self, request, path):
         """Gets the simple api html page for the index."""
@@ -308,26 +332,17 @@ class SimpleView(PackageUploadMixin, ViewSet):
                 "size": release_package.size,
                 "upload_time": release_package.upload_time,
                 "version": release_package.version,
+                "provenance": release_package.provenance_url,
             }
 
         rfilter = get_remote_package_filter(remote)
         if not rfilter.filter_project(package):
             return {}
 
-        url = remote.get_remote_artifact_url(f"simple/{package}/")
-        remote.headers = remote.headers or []
-        remote.headers.append({"Accept": ACCEPT_JSON_PREFERRED})
-        downloader = remote.get_downloader(url=url, max_retries=1)
-        try:
-            d = downloader.fetch()
-        except (ClientError, TimeoutException):
+        page = get_remote_simple_page(package, remote)
+        if not page:
             log.info(f"Failed to fetch {package} simple page from {remote.url}")
             return {}
-
-        if d.headers["content-type"] == PYPI_SIMPLE_V1_JSON:
-            page = ProjectPage.from_json_data(json.load(open(d.path, "rb")), base_url=url)
-        else:
-            page = ProjectPage.from_html(package, open(d.path, "rb").read(), base_url=url)
         return {
             p.filename: parse_package(p)
             for p in page.packages
@@ -348,7 +363,8 @@ class SimpleView(PackageUploadMixin, ViewSet):
         elif self.should_redirect(repo_version=repo_ver):
             return redirect(urljoin(self.base_content_url, f"{path}/simple/{normalized}/"))
         if content:
-            packages = content.filter(name__normalize=normalized).values(
+            local_packages = content.filter(name__normalize=normalized)
+            packages = local_packages.values(
                 "filename",
                 "sha256",
                 "metadata_sha256",
@@ -357,11 +373,19 @@ class SimpleView(PackageUploadMixin, ViewSet):
                 "pulp_created",
                 "version",
             )
+            provenances = PackageProvenance.objects.filter(package__in=local_packages).values_list(
+                "package__filename", flat=True
+            )
             local_releases = {
                 p["filename"]: {
                     **p,
                     "url": urljoin(self.base_content_url, f"{path}/{p['filename']}"),
                     "upload_time": p["pulp_created"],
+                    "provenance": (
+                        self.get_provenance_url(normalized, p["version"], p["filename"])
+                        if p["filename"] in provenances
+                        else None
+                    ),
                 }
                 for p in packages
             }
@@ -497,3 +521,32 @@ class UploadView(PackageUploadMixin, ViewSet):
         This is the endpoint that tools like Twine and Poetry use for their upload commands.
         """
         return self.upload(request, path)
+
+
+class ProvenanceView(PyPIMixin, ViewSet):
+    """View for the PyPI provenance endpoint."""
+
+    endpoint_name = "integrity"
+    DEFAULT_ACCESS_POLICY = {
+        "statements": [
+            {
+                "action": ["retrieve"],
+                "principal": "*",
+                "effect": "allow",
+            },
+        ],
+    }
+
+    @extend_schema(summary="Get package provenance")
+    def retrieve(self, request, path, package, version, filename):
+        """Gets the provenance for a package."""
+        repo_ver, content = self.get_rvc()
+        if content:
+            package_content = content.filter(
+                name__normalize=package, version=version, filename=filename
+            ).first()
+            if package_content:
+                provenance = self.get_provenances(repo_ver).filter(package=package_content).first()
+                if provenance:
+                    return Response(data=provenance.provenance)
+        return HttpResponseNotFound(f"{package} {version} {filename} provenance does not exist.")