Open sbs2001 opened 10 months ago
Hello @sbs2001. Thank you four your feature request. We'll investigate it and reach to you with our decision.
@dmitry-shibanov thanks !
This would be awesome to see, setup-python would be a great consumer of such information since the number of users this action sees is likely astronomical. I've recently done an audit of existing Sigstore signatures and found them to be consistent as documented and have backfilled .sigstore
bundles to old versions to make adoption easier across a wide range of Python versions.
@dmitry-shibanov It would be great to see this implemented, I'm happy to provide guidance if needed.
Description:
Verify sigstore signatures of python releases at https://github.com/actions/python-versions
Python releases are signed via Sigstore . Github also announced to increasingly adopt sigstore
Justification:
If we verify the signatures for the downloaded python releases, the supply chain security would be greatly improved.
Are you willing to submit a PR?
Yes ! I would really love to do it.