Closed sethmlarson closed 2 months ago
Discovered that the 3.11.4 Sigstore bundles weren't signed correctly (the wrong identity provider was used, but the correct email for Pablo), so we'll have to fix that first before we can proceed, but the script is complete and has been tested locally.
3.11.4 bundles are fixed, so now we can proceed. Will work with @JacobCoffee to migrate the bundles on the downloads server with the above script.
Sigstore bundles have been migrated and are verifying properly now:
This is the second part of https://github.com/python/cpython/issues/122785, in addition to https://github.com/python/release-tools/pull/159.
In short, the bundles that Sigstore CLI v1.x was generating didn't include all the necessary information to be able to verify up to the current standards of a Sigstore CLI (both Python and Go's CLI don't like our old bundles) to the point of calling them malformed or maliciously modified:
So we have a bunch of bundles without checkpoints on python.org/download. I pinged the Python Sigstore team and they're creating a subcommand to add the checkpoint to an existing Sigstore bundle without needing to re-sign every artifact.
In anticipation of that subcommand being available, I've generated the following script to fix and check all Sigstore bundles for CPython:
https://github.com/sethmlarson/migrate-cpython-sigstore-bundles