PEP 815 – Deprecate RECORD.jws and RECORD.p7s | peps.python.org

PEP 815 – Deprecate RECORD.jws and RECORD.p7s PEP 815 – Deprecate RECORD.jws and RECORD.p7s Author: Konstantin Schütze <konstin at mailbox.org>, William Woodruff <william at yossarian.net> Sponsor: Emma Harper Smith <emma at python.org> PEP-Delegate: Paul Moore <p.f.moore at gmail.com> Discussions-To: Discourse thread Status: Final Type: Standards Track Topic: Packaging Created: 04-Dec-2025 Post-History: 09-Jun-2025, 08-Dec-2025 Resolution: 28-Jan-2026 Table of Contents Abstract Motivation Specification Backwards Compatibility Security Implications Copyright Important This PEP is a historical document. The up-to-date, canonical spec, Binary distribution format, is maintained on the PyPA specs page. × See the PyPA specification update process for how to propose changes. Abstract This PEP deprecates the RECORD.jws and RECORD.p7s wheel signature files. Lack of support in tooling means that these virtually unused files do not provide the security they purport. Users looking for wheel signing should instead refer to index hosted attestations. Motivation No major Python packaging tool supports generating or checking either RECORD.jws or RECORD.p7s. Notably, neither pip nor uv validate the hashes in RECORD, a requirement for using signature files. The binary distribution format presents them as security features, potentially resulting in user confusion. The state of the art for hashing and signing wheels has shifted from in-archive information to out-of-archive information presented on the index, such as hashes and attestations in the simple repository API. Unlike the hashes in RECORD, tools such as pip and uv validate index provided hashes. Both files are virtually unused. A GitHub search for path:**.dist-info/RECORD yields 635k results, path:**.dist-info/RECORD.jws has 8 distinct results and path:**.dist-info/RECORD.p7s has zero results. Specification The RECORD.jws and RECORD.p7s files are deprecated, and the binary distribution format specification will be updated to reflect this. Build backends and other tools MUST NOT add these files to wheels. Installers SHOULD NOT attempt to verify them, while they remain excluded from RECORD. Backwards Compatibility No build backends and installers that the authors are aware of require any changes, as they do not support these files beyond skipping them when processing the RECORD file. If any build backends do currently write these files, they need to deprecate and eventually remove this feature. For verifying provenance, users should refer to index hosted attestations. Security Implications This PEP strengthens the security of the Python packaging ecosystem by reducing the divergence between security features presented in the specification and the security features supported by tools. Copyright This document is placed in the public domain or under the CC0-1.0-Universal license, whichever is more permissive. Source: https://github.com/python/peps/blob/main/peps/pep-0815.rst Last modified: 2026-02-04 08:41:37 GMT