skip-trace 0.1.0__py3-none-any.whl → 0.1.1__py3-none-any.whl

skip_trace/collectors/package_files.py

@@ -1,23 +1,149 @@
 # skip_trace/collectors/package_files.py
 from __future__ import annotations
 
+import datetime
+import glob
 import logging
 import os
 import shutil
 import tarfile
 import zipfile
+from email.parser import Parser
 from typing import Any, Dict, List, Optional
 
 from ..analysis import source_scanner
+from ..analysis.evidence import generate_evidence_id
 from ..exceptions import CollectorError, NetworkError
-from ..schemas import EvidenceRecord
+from ..schemas import EvidenceKind, EvidenceRecord, EvidenceSource
 from ..utils import http_client
 from ..utils.safe_targz import safe_extract_auto
+from ..utils.validation import is_valid_email
+from . import sigstore
 
 logger = logging.getLogger(__name__)
 PACKAGE_DOWNLOAD_DIR = ".packages"
 
 
+def _create_evidence_from_contact(
+    contact_str: str,
+    role_kind: EvidenceKind,
+    locator: str,
+    confidence: float,
+    notes_prefix: str,
+) -> List[EvidenceRecord]:
+    """Helper to create PERSON and EMAIL evidence from a 'Name <email>' string."""
+    from ..analysis.evidence import _parse_contact_string
+
+    evidence_list = []
+    now = datetime.datetime.now(datetime.timezone.utc)
+    parsed = _parse_contact_string(contact_str)
+    name = parsed.get("name")
+    email = parsed.get("email")
+    source = EvidenceSource.WHEEL
+
+    if name:
+        value = {"name": name}
+        record = EvidenceRecord(
+            id=generate_evidence_id(
+                source, EvidenceKind.PERSON, locator, str(value), name
+            ),
+            source=source,
+            locator=locator,
+            kind=EvidenceKind.PERSON,
+            value=value,
+            observed_at=now,
+            confidence=confidence,
+            notes=f"{notes_prefix} name '{name}' from {role_kind.value} field in package metadata.",
+        )
+        evidence_list.append(record)
+
+    if email:
+        value = {"email": email}
+        slug = name or email.split("@")[0]
+        record = EvidenceRecord(
+            id=generate_evidence_id(
+                source, EvidenceKind.EMAIL, locator, str(value), slug
+            ),
+            source=source,
+            locator=locator,
+            kind=EvidenceKind.EMAIL,
+            value=value,
+            observed_at=now,
+            confidence=confidence + 0.1,  # Email is a stronger signal
+            notes=f"{notes_prefix} email for '{slug}' from {role_kind.value} field in package metadata.",
+        )
+        evidence_list.append(record)
+
+    return evidence_list
+
+
+def _parse_metadata_file(content: str, locator: str) -> List[EvidenceRecord]:
+    """Parses a PKG-INFO or METADATA file for evidence."""
+    evidence_list: List[EvidenceRecord] = []
+    now = datetime.datetime.now(datetime.timezone.utc)
+    headers = Parser().parsestr(content)
+
+    # Author/Maintainer information
+    if author_email := headers.get("Author-email"):
+        evidence_list.extend(
+            _create_evidence_from_contact(
+                author_email, EvidenceKind.AUTHOR_TAG, locator, 0.35, "Found"
+            )
+        )
+    if author := headers.get("Author"):
+        evidence_list.extend(
+            _create_evidence_from_contact(
+                author, EvidenceKind.AUTHOR_TAG, locator, 0.30, "Found"
+            )
+        )
+
+    if maintainer_email := headers.get("Maintainer-email"):
+        evidence_list.extend(
+            _create_evidence_from_contact(
+                maintainer_email, EvidenceKind.MAINTAINER, locator, 0.35, "Found"
+            )
+        )
+    if maintainer := headers.get("Maintainer"):
+        evidence_list.extend(
+            _create_evidence_from_contact(
+                maintainer, EvidenceKind.MAINTAINER, locator, 0.30, "Found"
+            )
+        )
+
+    # Project URLs
+    urls = headers.get_all("Project-URL", [])
+    if home_page := headers.get("Home-page"):
+        urls.append(f"Homepage, {home_page}")
+
+    for url_entry in urls:
+        try:
+            label, url = [part.strip() for part in url_entry.split(",", 1)]
+            if not is_valid_email(label):  # Filter out email-like labels
+                value = {"label": label, "url": url}
+                record = EvidenceRecord(
+                    id=generate_evidence_id(
+                        EvidenceSource.WHEEL,
+                        EvidenceKind.PROJECT_URL,
+                        locator,
+                        str(value),
+                        label,
+                        hint="metadata-file",
+                    ),
+                    source=EvidenceSource.WHEEL,
+                    locator=locator,
+                    kind=EvidenceKind.PROJECT_URL,
+                    value=value,
+                    observed_at=now,
+                    confidence=0.30,
+                    notes=f"Found project URL '{label}' in package metadata file.",
+                )
+                evidence_list.append(record)
+        except ValueError:
+            logger.debug(f"Could not parse Project-URL from metadata file: {url_entry}")
+
+    return evidence_list
+
+
 def _ensure_download_dir():
     """Ensures the package download directory and .gitignore exist."""
     os.makedirs(PACKAGE_DOWNLOAD_DIR, exist_ok=True)
@@ -37,6 +163,8 @@ def _find_download_url(metadata: Dict[str, Any]) -> Optional[str]:
     wheel_url = None
     sdist_url = None
     for url_info in urls:
+        if url_info.get("yanked"):
+            continue
         packagetype = url_info.get("packagetype")
         if packagetype == "bdist_wheel":
             wheel_url = url_info.get("url")
@@ -47,6 +175,33 @@ def _find_download_url(metadata: Dict[str, Any]) -> Optional[str]:
     return wheel_url or sdist_url or (urls[0].get("url") if urls else None)
 
 
+def _download_file(url: str, download_dir: str) -> str | None:
+    """Downloads a file to a directory if it doesn't exist, returns the path."""
+    filename = os.path.basename(url)
+    download_path = os.path.join(download_dir, filename)
+
+    if not os.path.exists(download_path):
+        logger.info(f"Downloading {filename} from {url}")
+        try:
+            with http_client.get_client().stream("GET", url) as response:
+                response.raise_for_status()
+                with open(download_path, "wb") as f:
+                    for chunk in response.iter_bytes():
+                        f.write(chunk)
+        except (
+            NetworkError,
+            http_client.httpx.RequestError,
+            http_client.httpx.HTTPStatusError,
+        ) as e:
+            # A 404 is expected for bundles, so we don't raise a CollectorError
+            if response and response.status_code == 404:
+                logger.info(f"No file found at {url} (404 Not Found)")
+                return None
+            raise CollectorError(f"Failed to download file {filename}: {e}") from e
+
+    return download_path
+
+
 def collect_from_package_files(metadata: Dict[str, Any]) -> List[EvidenceRecord]:
     """
     Downloads, extracts, and scans a package's files for evidence.
@@ -70,62 +225,55 @@ def collect_from_package_files(metadata: Dict[str, Any]) -> List[EvidenceRecord]
         return []
 
     _ensure_download_dir()
-    filename = os.path.basename(download_url)
-    download_path = os.path.join(PACKAGE_DOWNLOAD_DIR, filename)
 
-    # Download the file if it doesn't already exist
-    if not os.path.exists(download_path):
-        logger.info(f"Downloading {filename} from {download_url}")
-        try:
-            with http_client.get_client().stream("GET", download_url) as response:
-                response.raise_for_status()
-                with open(download_path, "wb") as f:
-                    for chunk in response.iter_bytes():
-                        f.write(chunk)
-        except (
-            NetworkError,
-            http_client.httpx.RequestError,
-            http_client.httpx.HTTPStatusError,
-        ) as e:
-            raise CollectorError(f"Failed to download package {filename}: {e}") from e
+    # Download the main package artifact
+    artifact_path = _download_file(download_url, PACKAGE_DOWNLOAD_DIR)
+    if not artifact_path:
+        return []  # Can't proceed without the artifact
+
+    # Attempt to download the corresponding Sigstore bundle
+    bundle_url = f"{download_url}.sigstore"
+    bundle_path = _download_file(bundle_url, PACKAGE_DOWNLOAD_DIR)
+
+    # Initialize evidence list
+    evidence: list[EvidenceRecord] = []
+
+    # Verify with Sigstore if the bundle was found
+    if bundle_path:
+        sigstore_evidence = sigstore.verify_and_collect(
+            artifact_path, bundle_path, package_name, package_version
+        )
+        evidence.extend(sigstore_evidence)
 
     # Determine the persistent extraction directory path from the filename
-    base_filename = filename
-    for ext in [".whl", ".zip", ".tar.gz", ".tgz", ".tar.bz2"]:
-        if base_filename.endswith(ext):
-            base_filename = base_filename[: -len(ext)]
-            break
+    filename = os.path.basename(artifact_path)
+    base_filename, _ = os.path.splitext(filename)
+    if filename.endswith(".tar.gz"):
+        base_filename, _ = os.path.splitext(base_filename)
     extract_dir = os.path.join(PACKAGE_DOWNLOAD_DIR, base_filename)
 
     # Extract the archive ONLY if the destination directory doesn't already exist
     if not os.path.exists(extract_dir):
-        logger.info(f"Extracting {download_path} to {extract_dir}")
+        logger.info(f"Extracting {artifact_path} to {extract_dir}")
         os.makedirs(extract_dir, exist_ok=True)
         try:
-            if download_path.endswith((".whl", ".zip")):
-                with zipfile.ZipFile(download_path, "r") as zf:  # nosec # noqa
-                    zf.extractall(extract_dir)  # nosec # noqa
-            elif download_path.endswith(
+            if artifact_path.endswith((".whl", ".zip")):
+                with zipfile.ZipFile(artifact_path, "r") as zf:
+                    zf.extractall(extract_dir)  # nosec
+            elif artifact_path.endswith(
                 (".tar.gz", ".tgz", ".tar.bz2", ".tar.xz", ".tar")
             ):
-                safe_extract_auto(download_path, extract_dir)
-            # elif download_path.endswith((".tar.gz", ".tgz")):
-            #     with tarfile.open(download_path, "r:gz") as tf:  # nosec # noqa
-            #         tf.extractall(extract_dir)  # nosec # noqa
-            # elif download_path.endswith(".tar.bz2"):
-            #     with tarfile.open(download_path, "r:bz2") as tf:  # nosec # noqa
-            #         tf.extractall(extract_dir)  # nosec # noqa
+                safe_extract_auto(artifact_path, extract_dir)
             else:
                 logger.warning(
                     f"Unsupported archive format for {filename}. Skipping file scan."
                 )
                 shutil.rmtree(extract_dir)  # Clean up the empty dir
-                return []
+                return evidence  # Return any Sigstore evidence found
         except (zipfile.BadZipFile, tarfile.TarError, PermissionError) as e:
-            logger.error(f"Failed to extract archive {download_path}: {e}")
-            # Clean up potentially corrupted extraction on error
+            logger.error(f"Failed to extract archive {artifact_path}: {e}")
             shutil.rmtree(extract_dir, ignore_errors=True)
-            return []
+            return evidence  # Return any Sigstore evidence found
     else:
         logger.info(f"Using cached package files from {extract_dir}")
 
@@ -143,8 +291,51 @@ def collect_from_package_files(metadata: Dict[str, Any]) -> List[EvidenceRecord]
             logger.error(
                 f"Extraction directory {extract_dir} not found after apparent success. Check permissions."
             )
-            return []
+            return evidence
 
     locator_prefix = f"{package_name}-{package_version}"
-    evidence = source_scanner.scan_directory(scan_target_dir, locator_prefix)
+    source_scan_evidence = source_scanner.scan_directory(
+        scan_target_dir, locator_prefix
+    )
+    evidence.extend(source_scan_evidence)
+
+    # --- Scan for PKG-INFO/METADATA file ---
+    metadata_file_path = None
+    # Use a recursive glob to find the relevant .dist-info or .egg-info directory
+    # This is more robust for sdists that may have a nested src/ directory.
+    dist_info_pattern = os.path.join(scan_target_dir, "**", "*.dist-info")
+    egg_info_pattern = os.path.join(scan_target_dir, "**", "*.egg-info")
+
+    info_dirs = glob.glob(dist_info_pattern, recursive=True) + glob.glob(
+        egg_info_pattern, recursive=True
+    )
+
+    if info_dirs:
+        info_dir_path = info_dirs[0]  # Assume there's only one
+        potential_files = [
+            os.path.join(info_dir_path, "METADATA"),
+            os.path.join(info_dir_path, "PKG-INFO"),
+        ]
+        for f_path in potential_files:
+            if os.path.exists(f_path):
+                metadata_file_path = f_path
+                break
+
+    if metadata_file_path:
+        rel_path = os.path.relpath(metadata_file_path, PACKAGE_DOWNLOAD_DIR)
+        logger.info(f"Found package metadata file: {rel_path}")
+        try:
+            with open(metadata_file_path, "r", encoding="utf-8", errors="ignore") as f:
+                content = f.read()
+            # Create a locator relative to the package root
+            relative_locator_path = os.path.relpath(metadata_file_path, scan_target_dir)
+            locator = f"{locator_prefix}/{relative_locator_path}"
+            metadata_evidence = _parse_metadata_file(content, locator)
+            evidence.extend(metadata_evidence)
+            logger.info(
+                f"Extracted {len(metadata_evidence)} evidence records from package metadata file."
+            )
+        except IOError as e:
+            logger.warning(f"Could not read metadata file {metadata_file_path}: {e}")
+
     return evidence

skip_trace/collectors/pypi.py

@@ -99,7 +99,7 @@ def cross_reference_by_user(package_name: str) -> List[EvidenceRecord]:
     new_evidence: List[EvidenceRecord] = []
     profile_url = _scrape_user_profile_url(package_name)
 
-    # --- NEW: Always create evidence for the PyPI user if found ---
+    # --- Always create evidence for the PyPI user if found ---
     if profile_url:
         try:
             username = profile_url.strip("/").rsplit("/", maxsplit=1)[-1]

skip_trace/collectors/pypi_attestations.py

@@ -0,0 +1,160 @@
+# skip_trace/collectors/pypi_attestations.py
+
+# I have no evidence that this works.
+# It appears to crash, possibly because I'm on windows.
+
+from __future__ import annotations
+
+import datetime
+import logging
+import os
+import shutil
+import subprocess  # nosec
+import tempfile
+from typing import Any, Dict, List
+
+from ..analysis.evidence import generate_evidence_id
+from ..schemas import EvidenceKind, EvidenceRecord, EvidenceSource
+from ..utils import http_client
+
+logger = logging.getLogger(__name__)
+
+
+def collect(metadata: Dict[str, Any]) -> List[EvidenceRecord]:
+    """
+    Finds and verifies PyPI attestations by calling the `pypi-attestations` CLI.
+
+    This collector manually queries the PyPI Integrity API to get the attestation,
+    saves it to a temporary file, and then passes that file to the `inspect`
+    command of the CLI tool for verification and parsing.
+
+    Args:
+        metadata: The PyPI JSON metadata for the package.
+
+    Returns:
+        A list of EvidenceRecord objects from verified attestations.
+    """
+    if not shutil.which("pypi-attestations"):
+        logger.debug(
+            "`pypi-attestations` CLI not found in PATH. Skipping attestation check."
+        )
+        return []
+
+    evidence = []
+    urls_data = metadata.get("urls", [])
+    if not urls_data:
+        return []
+
+    project_name = metadata.get("info", {}).get("name")
+    project_version = metadata.get("info", {}).get("version")
+
+    # Find the first downloadable artifact (wheel or sdist) and check it.
+    for url_info in urls_data:
+        artifact_url = url_info.get("url")
+        if not artifact_url or url_info.get("yanked", False):
+            continue
+
+        artifact_filename = os.path.basename(artifact_url)
+
+        # 1. Construct the PyPI Integrity API URL for this specific file.
+        integrity_api_url = f"https://pypi.org/integrity/{project_name}/{project_version}/{artifact_filename}/provenance"
+        logger.info(f"Querying PyPI Integrity API: {integrity_api_url}")
+
+        # 2. Make the API call to get the attestation.
+        response = http_client.make_request_safe(integrity_api_url)
+        if response is None or response.status_code != 200:
+            logger.info(
+                f"No attestation found for {artifact_filename} via Integrity API (Status: {response.status_code if response else 'N/A'})."
+            )
+            continue
+
+        try:
+            response.json()
+        except Exception:
+            logger.warning(
+                f"Failed to parse JSON from Integrity API for {artifact_filename}"
+            )
+            continue
+
+        # 3. Save the attestation to a temporary file for the CLI to use.
+        with tempfile.NamedTemporaryFile(
+            mode="w", delete=False, suffix=".attestation.json", encoding="utf-8"
+        ) as tmp_file:
+            tmp_file.write(response.text)
+            temp_attestation_path = tmp_file.name
+
+        try:
+            # 4. Call `pypi-attestations inspect` on the temporary attestation file.
+            # The tool verifies the attestation as part of the inspect command.
+            command = ["pypi-attestations", "inspect", temp_attestation_path]
+            logger.info(f"Running command: {' '.join(command)}")
+            result = subprocess.run(  # nosec
+                command,
+                capture_output=True,
+                text=True,
+                check=True,  # Raises CalledProcessError on non-zero exit codes
+            )
+
+            logger.info(f"Successfully verified attestation for {artifact_filename}")
+
+            # Parse the human-readable output to find key details.
+            repo_slug = None
+            workflow = None
+            lines = result.stdout.splitlines()
+            print(lines)
+            for line in lines:
+                if "Repository:" in line:
+                    repo_slug = line.split(":", 1)[1].strip()
+                elif "Workflow:" in line:
+                    workflow = line.split(":", 1)[1].strip()
+
+            if not repo_slug:
+                logger.warning(
+                    "Verified attestation but could not parse repository slug from CLI output."
+                )
+                continue
+
+            # Create the evidence record.
+            org_name = repo_slug.split("/")[0]
+            now = datetime.datetime.now(datetime.timezone.utc)
+            value = {
+                "publisher_kind": "github",
+                "repository": repo_slug,
+                "workflow": workflow,
+            }
+
+            record = EvidenceRecord(
+                id=generate_evidence_id(
+                    EvidenceSource.PYPI_ATTESTATION,
+                    EvidenceKind.PYPI_PUBLISHER_ATTESTATION,
+                    integrity_api_url,
+                    str(value),
+                    org_name,
+                ),
+                source=EvidenceSource.PYPI_ATTESTATION,
+                locator=integrity_api_url,
+                kind=EvidenceKind.PYPI_PUBLISHER_ATTESTATION,
+                value=value,
+                observed_at=now,
+                confidence=1.0,
+                notes=(
+                    "Verified PyPI attestation proves publication from GitHub "
+                    f"repo '{repo_slug}' via workflow '{workflow or 'unknown'}'."
+                ),
+            )
+            evidence.append(record)
+            break
+
+        except subprocess.CalledProcessError as e:
+            logger.warning(
+                f"CLI verification failed for attestation of {artifact_filename}:\n{e.stderr}"
+            )
+        except Exception as e:
+            logger.error(
+                f"An unexpected error occurred during CLI attestation processing: {e}"
+            )
+        finally:
+            # Clean up the temporary file.
+            os.remove(temp_attestation_path)
+
+    return evidence

skip_trace/collectors/sigstore.py

@@ -0,0 +1,160 @@
+# skip_trace/collectors/sigstore.py
+from __future__ import annotations
+
+import logging
+from typing import List
+from urllib.parse import urlparse
+
+from sigstore.models import Bundle
+
+from ..schemas import EvidenceRecord
+
+logger = logging.getLogger(__name__)
+
+
+def _parse_san_from_cert(bundle: Bundle) -> str | None:
+    """Extracts the Subject Alternative Name from the signing certificate."""
+    try:
+        # The SAN extension is a list of GeneralName objects.
+        # We look for rfc822Name (email) or uniformResourceIdentifier.
+        sans = bundle.signing_certificate.subject  # no alt name?
+        for san in sans:
+            # The value attribute of the GeneralName object holds the identity.
+            return san.value
+    except Exception:
+        return None
+    return None
+
+
+def _parse_repo_from_github_uri(uri: str | None) -> str | None:
+    """Parses a GitHub workflow URI to get the 'owner/repo' string."""
+    if not uri or not uri.startswith("https://github.com/"):
+        try:
+            parsed = urlparse(uri)
+            path_parts = parsed.path.strip("/").split("/")  # type: ignore
+            if len(path_parts) >= 2:  # type: ignore
+                return f"{path_parts[0]}/{path_parts[1]}"  # type: ignore
+        except Exception:  # nosec
+            pass
+    return None
+
+
+def verify_and_collect(
+    artifact_path: str, bundle_path: str, package_name: str, package_version: str
+) -> List[EvidenceRecord]:
+    """
+    Verifies a package artifact against a Sigstore bundle and collects evidence.
+
+    Args:
+        artifact_path: Path to the downloaded package file (.whl, .tar.gz).
+        bundle_path: Path to the downloaded .sigstore bundle file.
+        package_name: The name of the package.
+        package_version: The version of the package.
+
+    Returns:
+        A list of EvidenceRecord objects from the verification.
+    """
+    return []
+    # if not SIGSTORE_AVAILABLE:
+    #     logger.warning("sigstore library not installed, skipping verification.")
+    #     return []
+    #
+    # evidence: list[EvidenceRecord] = []
+    # locator = f"pkg:pypi/{package_name}@{package_version}"
+    # now = datetime.datetime.now(datetime.timezone.utc)
+    #
+    # logger.info(f"Performing Sigstore verification for {artifact_path}")
+    #
+    # try:
+    #     # 1. Load the bundle from the file
+    #     with open(bundle_path, "r", encoding="utf-8") as f:
+    #         bundle = Bundle.from_json(f.read())
+    #
+    #     # 2. Create a verifier. We use the production instance by default.
+    #     verifier = Verifier.production()
+    #
+    #     # 3. Define a verification policy.
+    #     # WARNING: UnsafeNoOp is for demonstration and testing only.
+    #     # It performs no identity verification. Replace with a real policy
+    #     # like `policy.Identity(identity=..., issuer=...)` for security.
+    #     verification_policy = policy.UnsafeNoOp()
+    #
+    #     # 4. Verify the artifact. This will raise VerificationError on failure.
+    #     with open(artifact_path, "rb") as artifact:
+    #         verifier.verify_artifact(artifact, bundle, verification_policy) # type: ignore
+    #
+    #     logger.info(f"Sigstore verification successful for {package_name}")
+    #
+    #     # 5. If verification succeeds, extract evidence from the trusted bundle.
+    #
+    #     # Evidence for the signer's identity from the certificate's SAN
+    #     if identity := _parse_san_from_cert(bundle):
+    #         value = {
+    #             "identity": identity,
+    #             "issuer": bundle.signing_certificate.issuer.rfc4514_string(),
+    #         }
+    #         record = EvidenceRecord(
+    #             id=generate_evidence_id(
+    #                 EvidenceSource.SIGSTORE,
+    #                 EvidenceKind.SIGSTORE_SIGNER_IDENTITY,
+    #                 locator,
+    #                 str(value),
+    #                 identity,
+    #             ),
+    #             source=EvidenceSource.SIGSTORE,
+    #             locator=locator,
+    #             kind=EvidenceKind.SIGSTORE_SIGNER_IDENTITY,
+    #             value=value,
+    #             observed_at=now,
+    #             confidence=0.95,
+    #             notes=(
+    #                 f"Package cryptographically signed by identity '{identity}' "
+    #                 f"(issuer: {value['issuer']})."
+    #             ),
+    #         )
+    #         evidence.append(record)
+    #
+    #     # Evidence from GitHub workflow info in the certificate extensions
+    #     # OID 1.3.6.1.4.1.57264.1.5 = GitHub Workflow Repository
+    #     oid_repo = "1.3.6.1.4.1.57264.1.5"  # what is this?
+    #     try:
+    #         repo_ext = bundle.signing_certificate.extensions.get_extension_for_oid( # type: ignore
+    #             oid_repo # type: ignore
+    #         )
+    #         repo_uri = repo_ext.value.oid.dotted_string  # .decode("utf-8")  # what is this?
+    #
+    #         repo_slug = _parse_repo_from_github_uri(repo_uri) or repo_uri
+    #
+    #         value = {"repo_uri": repo_uri}
+    #         record = EvidenceRecord(
+    #             id=generate_evidence_id(
+    #                 EvidenceSource.SIGSTORE,
+    #                 EvidenceKind.SIGSTORE_BUILD_PROVENANCE,
+    #                 locator,
+    #                 str(value),
+    #                 repo_slug,
+    #             ),
+    #             source=EvidenceSource.SIGSTORE,
+    #             locator=locator,
+    #             kind=EvidenceKind.SIGSTORE_BUILD_PROVENANCE,
+    #             value=value,
+    #             observed_at=now,
+    #             confidence=0.90,
+    #             notes=f"Sigstore certificate attests build from repo '{repo_slug}'.",
+    #         )
+    #         evidence.append(record)
+    #     except Exception:
+    #         # This is not an error; the extension is optional.
+    #         pass
+    #
+    # except (VerificationError, FileNotFoundError, ValueError) as e:
+    #     logger.info(f"Sigstore verification failed for {package_name}: {e}")
+    #     return []
+    # except Exception as e:
+    #     logger.warning(
+    #         f"An unexpected error occurred during Sigstore verification: {e}"
+    #     )
+    #     return []
+    #
+    # logger.info(f"Found {len(evidence)} evidence records from Sigstore.")
+    # return evidence