Retroactive SHA256SUMS attestation.
This release was published to PyPI on 1.2.5's upload date but did not have a GitHub Release page at that time. This release page and its attached SHA256SUMS asset are a retroactive byte-level attestation — computed against PyPI's current bytes.
What this attestation proves:
- The SHA256 of the wheel and sdist on PyPI at the time of this attestation.
What it does not prove:
- Original-build provenance. If PyPI's bytes differ from what was built from the
v1.2.5commit at release time, this attestation certifies the former, not the latter. PyPI artifact immutability is the defense-in-depth that makes this attestation defensible; no known PyPI replace-in-place event has occurred for TokenPak.
PyPI status: live.
Install:
pip install tokenpak==1.2.5
Governance note:
Part of the F-18 one-time retroactive backfill — see known-findings.md and ~/vault/02_COMMAND_CENTER/tokenpak-release-governance/phase-2-status-tracker.md §3 for full rationale.