python / pythondotorg

Source code for python.org
https://www.python.org
Apache License 2.0
1.51k stars 599 forks source link

Security information on the Downloads page needs to be updated to include sigstore and code signing info #2299

Open ned-deily opened 1 year ago

ned-deily commented 1 year ago

There is information related to user verification of Python release artifacts downloaded from python.org on the website Downloads page. Originally this info was about PGP keys and was later to expanded to include a bit about macOS installer certificates. With the introduction of sigstore signing to releases, this section of the page should be renamed and updated to emphasize sigstore validation, de-emphasize PGP keys, and also include information about signing of Windows release artifacts.

(The current information is maintained in the python.org admin CMS in the downloads-pgp box in the Boxes section.)

ned-deily commented 1 year ago

I'm going to take the liberty of assigning this to @sethmlarson and cc the release managers @python/release-managers-in-development-maintenance-and-security-mode and @di.

zooba commented 4 weeks ago

When this gets updated, can we have the following (subject to any changes in later discussion) added for Windows:

(Updated for Azure Trusted Signing, which applies for all releases chronologically from 3.14.0a1)

Windows

The Windows installers and all binaries produced as part of each Python release are signed using an Authenticode signing certificate issued to the Python Software Foundation. This can be verified by viewing the properties of any executable file, looking at the Digital Signatures tab, and confirming the name of the signer. Our full certificate subject is CN = Python Software Foundation, O = Python Software Foundation, L = Beaverton, S = Oregon, C = US and as of 14th October 2024 the certificate authority is Microsoft Identity Verification Root Certificate Authority. Our previous certificates were issued by DigiCert.

Note that some executables may not be signed, notably, the default pip command. These are not built as part of Python, but are included from third-party libraries. Files that are intended to be modified before use cannot be signed and so will not have a signature.

zooba commented 3 weeks ago

FWIW, we're going to flip over to Azure Trusted Signing soon instead of DigiCert, which is going to impact the above text. I'll need a week or two to figure out exactly what it should say - ATS does things a bit different from how signing certs have historically worked, and it'll need some explaining.

zooba commented 2 weeks ago

Updated the above proposed text for our new signer. Since it seems nobody has any comments, @ned-deily could you insert that into whatever database entry makes it appear on the site?

ned-deily commented 2 weeks ago

Updated the above proposed text for our new signer. Since it seems nobody has any comments, @ned-deily could you insert that into whatever database entry makes it appear on the site?

I've added the proposed text. It could be prettified when the section is edited to remove the PGP information. I will leave that for someone else or later.