PEP 815: Deprecate RECORD.jws and RECORD.p7s

Co-authored-by: William Woodruff <william@yossarian.net>

Author: konstin

.github/CODEOWNERS

@@ -688,6 +688,7 @@ peps/pep-0809.rst  @zooba
 peps/pep-0810.rst  @pablogsal @DinoV @Yhg1s
 peps/pep-0811.rst  @sethmlarson @gpshead
 peps/pep-0814.rst  @vstinner @corona10
+peps/pep-0815.rst  @konstin
 # ...
 peps/pep-2026.rst  @hugovk
 # ...

peps/pep-0815.rst

@@ -0,0 +1,70 @@
+PEP: 815
+Title: Deprecate ``RECORD.jws`` and ``RECORD.p7s``
+Author: Konstantin Schütze <konstin@mailbox.org>,
+        William Woodruff <william@yossarian.net>
+Sponsor: Emma Harper Smith <emma@python.org>
+PEP-Delegate: Paul Moore <p.f.moore@gmail.com>
+Status: Draft
+Type: Standards Track
+Topic: Packaging
+Created: 04-Dec-2025
+Post-History: `09-Jun-2025 <https://discuss.python.org/t/discouraging-deprecating-pep-427-style-signatures/94968>`__
+
+Abstract
+========
+
+This PEP deprecates the ``RECORD.jws`` and ``RECORD.p7s`` wheel signature
+files. Lack of support in tooling means that these virtually unused files do
+not provide the security they purport. Users looking for wheel signing should
+instead refer to
+:ref:`index hosted attestations <packaging:index-hosted-attestations>`.
+
+Motivation
+==========
+
+No major Python packaging tool supports generating or checking either
+``RECORD.jws`` or ``RECORD.p7s``. Notably, neither pip nor uv validate the
+hashes in ``RECORD``, a requirement for using signature files. The
+:ref:`binary distribution format <packaging:binary-distribution-format>`
+presents them as security features, potentially resulting in user confusion.
+
+The state of the art for hashing and signing wheels has shifted from
+in-archive information to out-of-archive information presented on the index,
+such as hashes and :ref:`attestations <packaging:index-hosted-attestations>`
+in the :ref:`simple repository API <packaging:simple-repository-api>`. Unlike
+the hashes in ``RECORD``, tools such as pip and uv validate index provided
+hashes.
+
+Both files are virtually unused. A GitHub search for ``path:**.dist-info/RECORD``
+yields 635k results, ``path:**.dist-info/RECORD.jws`` has 8 distinct results
+and ``path:**.dist-info/RECORD.p7s`` has zero results.
+
+Specification
+=============
+
+The ``RECORD.jws`` and ``RECORD.p7s`` files are deprecated, and the
+:ref:`binary distribution format <packaging:binary-distribution-format>` is
+updated to reflect this. Build backends and other tools must not add these
+files to wheels. Installers must not attempt to verify them, while they
+remain excluded from ``RECORD``.
+
+Backward Compatibility
+======================
+
+Known implementations require no changes, as they do not support these files
+beyond skipping them when processing the ``RECORD`` file. Users should refer
+to :ref:`index hosted attestations <packaging:index-hosted-attestations>` for
+signing archives.
+
+Security Implications
+=====================
+
+This PEP strengthens the security of the Python packaging ecosystem by
+reducing the divergence between security features presented in the
+specification and the security features supported by tools.
+
+Copyright
+=========
+
+This document is placed in the public domain or under the
+CC0-1.0-Universal license, whichever is more permissive.