Following system colour scheme Selected dark colour scheme Selected light colour scheme

Python Enhancement Proposals

PEP 815 – Deprecate RECORD.jws and RECORD.p7s

Author:
Konstantin Schütze <konstin at mailbox.org>, William Woodruff <william at yossarian.net>
Sponsor:
Emma Harper Smith <emma at python.org>
PEP-Delegate:
Paul Moore <p.f.moore at gmail.com>
Status:
Draft
Type:
Standards Track
Topic:
Packaging
Created:
04-Dec-2025
Post-History:
09-Jun-2025
Table of Contents

Abstract

This PEP deprecates the RECORD.jws and RECORD.p7s wheel signature files. Lack of support in tooling means that these virtually unused files do not provide the security they purport. Users looking for wheel signing should instead refer to index hosted attestations.

Motivation

No major Python packaging tool supports generating or checking either RECORD.jws or RECORD.p7s. Notably, neither pip nor uv validate the hashes in RECORD, a requirement for using signature files. The binary distribution format presents them as security features, potentially resulting in user confusion.

The state of the art for hashing and signing wheels has shifted from in-archive information to out-of-archive information presented on the index, such as hashes and attestations in the simple repository API. Unlike the hashes in RECORD, tools such as pip and uv validate index provided hashes.

Both files are virtually unused. A GitHub search for path:**.dist-info/RECORD yields 635k results, path:**.dist-info/RECORD.jws has 8 distinct results and path:**.dist-info/RECORD.p7s has zero results.

Specification

The RECORD.jws and RECORD.p7s files are deprecated, and the binary distribution format specification will be updated to reflect this. Build backends and other tools MUST NOT add these files to wheels. Installers SHOULD NOT attempt to verify them, while they remain excluded from RECORD.

Backwards Compatibility

No build backends and installers that the authors are aware of require any changes, as they do not support these files beyond skipping them when processing the RECORD file. If any build backends do currently write these files, they need to deprecate and eventually remove this feature.

For verifying provenance, users should refer to index hosted attestations.

Security Implications

This PEP strengthens the security of the Python packaging ecosystem by reducing the divergence between security features presented in the specification and the security features supported by tools.

Source: https://github.com/python/peps/blob/main/peps/pep-0815.rst

Last modified: 2025-12-05 20:17:13 GMT