Support PEP 770

[Ru13en]

Issue Kind

Brand new capability

Description

PEP 770 introduces a standardized way for Python packages to include Software Bill‑of‑Materials (SBOM) data inside wheel distributions—specifically within a new .dist-info/sboms/ directory.
This improves measurability, supply‑chain transparency, and vulnerability analysis across the Python ecosystem. PEP 770 was accepted in April 2025 and is now part of the official Python packaging standards.

To align Poetry with the PEP 770 standard, this proposal requests that Poetry provide a simple mechanism in pyproject.toml (please read: https://sethmlarson.dev/visualizing-the-python-package-sbom-data-flow#how-sbom-data-will-be-included-in-python-packages) to attach pre‑generated SBOM files to the built wheel.

Impact

Supporting PEP 770 allows Poetry to:

Strengthen supply‑chain security
Enable modern compliance workflows
Improve compatibility with emerging SBOM scanning tools
Stay aligned with Python’s official packaging standards

Workarounds

Use auditwheel to patch built wheels:
https://sethmlarson.dev/early-promising-results-with-sboms-and-python-packages

[dimbleby]

This feels low-value for poetry, at least so long as build.py is not stabilized. AIUI PEP770 is mostly aimed at packages containing compiled artifacts that are otherwise invisible to tooling: but supported uses of the poetry-core backend won't have any such things.

What's your use case? Perhaps you are sufficiently motivated to put together a pull request?