PEP 815: Deprecate RECORD.jws and RECORD.p7s (#4727)

konstin · AA-Turner · woodruffw · web-flow · commit 1b3bca7983fe · 2025-12-05T20:17:13.000Z
Co-authored-by: Adam Turner &lt;9087854+AA-Turner@users.noreply.github.com&gt;
Co-authored-by: William Woodruff &lt;william@yossarian.net&gt;
Co-authored-by: Emma Smith &lt;emma@emmatyping.dev&gt;
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -688,6 +688,7 @@ peps/pep-0809.rst  @zooba
 peps/pep-0810.rst  @pablogsal @DinoV @Yhg1s
 peps/pep-0811.rst  @sethmlarson @gpshead
 peps/pep-0814.rst  @vstinner @corona10
+peps/pep-0815.rst  @emmatyping
 # ...
 peps/pep-2026.rst  @hugovk
 # ...
diff --git a/peps/pep-0815.rst b/peps/pep-0815.rst
@@ -0,0 +1,79 @@
+PEP: 815
+Title: Deprecate ``RECORD.jws`` and ``RECORD.p7s``
+Author: Konstantin Schütze <konstin@mailbox.org>,
+        William Woodruff <william@yossarian.net>
+Sponsor: Emma Harper Smith <emma@python.org>
+PEP-Delegate: Paul Moore <p.f.moore@gmail.com>
+Status: Draft
+Type: Standards Track
+Topic: Packaging
+Created: 04-Dec-2025
+Post-History: `09-Jun-2025 <https://discuss.python.org/t/94968>`__,
+
+
+Abstract
+========
+
+This PEP deprecates the ``RECORD.jws`` and ``RECORD.p7s`` wheel signature
+files. Lack of support in tooling means that these virtually unused files do
+not provide the security they purport. Users looking for wheel signing should
+instead refer to :ref:`index hosted attestations
+<packaging:index-hosted-attestations>`.
+
+
+Motivation
+==========
+
+No major Python packaging tool supports generating or checking either
+``RECORD.jws`` or ``RECORD.p7s``. Notably, neither pip nor uv validate the
+hashes in ``RECORD``, a requirement for using signature files. The
+:ref:`binary distribution format <packaging:binary-distribution-format>`
+presents them as security features, potentially resulting in user confusion.
+
+The state of the art for hashing and signing wheels has shifted from
+in-archive information to out-of-archive information presented on the index,
+such as hashes and :ref:`attestations <packaging:index-hosted-attestations>`
+in the :ref:`simple repository API <packaging:simple-repository-api>`. Unlike
+the hashes in ``RECORD``, tools such as pip and uv validate index provided
+hashes.
+
+Both files are virtually unused. A GitHub search for ``path:**.dist-info/RECORD``
+yields 635k results, ``path:**.dist-info/RECORD.jws`` has 8 distinct results
+and ``path:**.dist-info/RECORD.p7s`` has zero results.
+
+
+Specification
+=============
+
+The ``RECORD.jws`` and ``RECORD.p7s`` files are deprecated, and the
+:ref:`binary distribution format specification
+<packaging:binary-distribution-format>` will be updated to reflect this. Build
+backends and other tools MUST NOT add these files to wheels. Installers
+SHOULD NOT attempt to verify them, while they remain excluded from ``RECORD``.
+
+
+Backwards Compatibility
+=======================
+
+No build backends and installers that the authors are aware of require any
+changes, as they do not support these files beyond skipping them when
+processing the ``RECORD`` file. If any build backends do currently write these
+files, they need to deprecate and eventually remove this feature.
+
+For verifying provenance, users should refer to
+:ref:`index hosted attestations <packaging:index-hosted-attestations>`.
+
+
+Security Implications
+=====================
+
+This PEP strengthens the security of the Python packaging ecosystem by
+reducing the divergence between security features presented in the
+specification and the security features supported by tools.
+
+
+Copyright
+=========
+
+This document is placed in the public domain or under the
+CC0-1.0-Universal license, whichever is more permissive.
