search

python / release-tools

Scripts for making (C)Python releases
41 stars 34 forks source link

Check the existence and version of Sigstore CLI #194

Closed sethmlarson closed 6 days ago

sethmlarson commented 1 week ago

Closes #179, long-term solution is to do all the signing on the RM machine. This will do for now to catch fixable mistakes.

hugovk commented 1 week ago

Looks good, thanks.

Testing, first I uninstalled sigstore CLI from the server:

✅  Checking autoconf is available
✅  Validating ssh connection to downloads.nyc1.psf.io and docs.nyc1.psf.io
💥  Checking Sigstore CLI
Traceback (most recent call last):
  File "/Users/hugo/github/release-tools/run_release.py", line 1333, in <module>
    main()
  File "/Users/hugo/github/release-tools/run_release.py", line 1329, in main
    automata.run()
  File "/Users/hugo/github/release-tools/run_release.py", line 245, in run
    raise e from None
  File "/Users/hugo/github/release-tools/run_release.py", line 242, in run
    self.current_task(self.db)
  File "/Users/hugo/github/release-tools/release.py", line 126, in __call__
    return getattr(self, "function")(db)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/hugo/github/release-tools/run_release.py", line 327, in check_sigstore_client
    raise ReleaseException(
ReleaseException: Sigstore version not detected or not valid. Expecting 3.x:

Then installed sigstore<3 (2.1.5) on the server:

✅  Checking autoconf is available
✅  Validating ssh connection to downloads.nyc1.psf.io and docs.nyc1.psf.io
💥  Checking Sigstore CLI
Traceback (most recent call last):
  File "/Users/hugo/github/release-tools/run_release.py", line 1333, in <module>
    main()
  File "/Users/hugo/github/release-tools/run_release.py", line 1329, in main
    automata.run()
  File "/Users/hugo/github/release-tools/run_release.py", line 245, in run
    raise e from None
  File "/Users/hugo/github/release-tools/run_release.py", line 242, in run
    self.current_task(self.db)
  File "/Users/hugo/github/release-tools/release.py", line 126, in __call__
    return getattr(self, "function")(db)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/hugo/github/release-tools/run_release.py", line 327, in check_sigstore_client
    raise ReleaseException(
ReleaseException: Sigstore version not detected or not valid. Expecting 3.x: sigstore 2.1.5

Then installed sigstore==3.4.0 on the server:

✅  Checking autoconf is available
✅  Validating ssh connection to downloads.nyc1.psf.io and docs.nyc1.psf.io
✅  Checking Sigstore CLI

Re: https://github.com/python/release-tools/issues/177#issuecomment-2423292547: now https://github.com/python/release-tools/pull/193 has been merged (to send Sigstore CLI verification to stdout, not stderr), is sigstore 3.x enough? And we don't need 3.5+?

sethmlarson commented 1 week ago

And we don't need 3.5+?

You're right, we should make sure it's up-to-date to avoid last-second issues. Let me make the version check handle that.