chore: more useful explanation

Signed-off-by: William Woodruff <[email protected]>
trailofbits · Nov 4, 2024 · efe43b2 · efe43b2
1 parent e946deb
commit efe43b2
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/index.html b/index.html
@@ -67,8 +67,12 @@ <h2 id="what-pep740">What is PEP 740?</h2>
                 </p>
                 <h2 id="what">What are attestations?</h2>
                 <p>
-                    Attestations are like PGP signatures, except designed to be verifiable by
-                    the index too! They're built on top of <a href="https://sigstore.dev">Sigstore</a>
+                    Attestations are digitally signed, publicly verifiable statements about Python
+                    packages, including their <em>provenance</em> (e.g., the exact source repository
+                    that produced them).
+                </p>
+                <p>
+                    Attestations are built on top of <a href="https://sigstore.dev">Sigstore</a>
                     and use short-lived signing keys bound to trusted identities
                     (like <a href="https://docs.pypi.org/trusted-publishers/">Trusted Publishers</a>),
                     making them misuse-resistant and less susceptible to key loss and theft.