python / release-tools

Scripts for making (C)Python releases
41 stars 34 forks source link

Add checkpoints to existing Sigstore bundles #161

Closed sethmlarson closed 2 months ago

sethmlarson commented 3 months ago

This is the second part of https://github.com/python/cpython/issues/122785, in addition to https://github.com/python/release-tools/pull/159.

In short, the bundles that Sigstore CLI v1.x was generating didn't include all the necessary information to be able to verify up to the current standards of a Sigstore CLI (both Python and Go's CLI don't like our old bundles) to the point of calling them malformed or maliciously modified:

[09:14:32] ERROR    An issue occurred while parsing the Sigstore bundle.                                                                                                                           errors.py:41                                                                                                                                                                                                               
                    The provided bundle is malformed and may have been modified maliciously.                                                                                                                                                                                                                                                                                                                                  
                    Additional context:                                                                                                                                                                                                                                                                                                                                                                                       
                    entry must contain inclusion proof, with checkpoint                                                                                                                                                                                                                                                                                                                                                       
                    For detailed error information, run sigstore with the `--verbose` flag. 

So we have a bunch of bundles without checkpoints on python.org/download. I pinged the Python Sigstore team and they're creating a subcommand to add the checkpoint to an existing Sigstore bundle without needing to re-sign every artifact.

In anticipation of that subcommand being available, I've generated the following script to fix and check all Sigstore bundles for CPython:

https://github.com/sethmlarson/migrate-cpython-sigstore-bundles

sethmlarson commented 3 months ago

Discovered that the 3.11.4 Sigstore bundles weren't signed correctly (the wrong identity provider was used, but the correct email for Pablo), so we'll have to fix that first before we can proceed, but the script is complete and has been tested locally.

sethmlarson commented 2 months ago

3.11.4 bundles are fixed, so now we can proceed. Will work with @JacobCoffee to migrate the bundles on the downloads server with the above script.

sethmlarson commented 2 months ago

Sigstore bundles have been migrated and are verifying properly now: