I built a CLI to verify PyPI package attestations before installing packages

Python developers install packages from PyPI every day with pip. Most of the time we trust that the package we install is exactly what the maintainer intended to publish. But questions often come up: Who actually published this release? Does the package have verifiable provenance? Has the repository changed since the last version? Are there any known vulnerabilities? To explore these questions, I built trustcheck. What trustcheck does trustcheck is a CLI tool that inspects trust signals for PyPI package releases. It helps answer questions about a package before you install it. The tool evaluates things like: PyPI release metadata package attestations repository association provenance signals vulnerability information The goal is to make it easier to understand the trust posture of a Python package release. Installation pip install trustcheck Example usage Inspect a release: trustcheck inspect sampleproject --version 4.0.0 Verify the expected repository: trustcheck inspect sampleproject