Pip has a new tool called pip audit. It's not part of pip right now, and there's some discussion about whether it should be or not. The upcoming pith on three 11 release is going to start signing with six toras as well. We built a python clint so you can tipoeol six store and then sign, verify, do whatever from there.