setup-python icon indicating copy to clipboard operation
setup-python copied to clipboard
verified publisher icon actions

Do Sigstore Verification For Python TarBall

Open sbs2001 opened this issue 2 years ago • 3 comments

Description:

Verify sigstore signatures of python releases at https://github.com/actions/python-versions

Python releases are signed via Sigstore . Github also announced to increasingly adopt sigstore

Justification:

If we verify the signatures for the downloaded python releases, the supply chain security would be greatly improved.

Are you willing to submit a PR?

Yes ! I would really love to do it.

sbs2001 avatar Nov 12 '23 06:11 sbs2001

Hello @sbs2001. Thank you four your feature request. We'll investigate it and reach to you with our decision.

dmitry-shibanov avatar Nov 13 '23 09:11 dmitry-shibanov

@dmitry-shibanov thanks !

sbs2001 avatar Nov 16 '23 12:11 sbs2001

This would be awesome to see, setup-python would be a great consumer of such information since the number of users this action sees is likely astronomical. I've recently done an audit of existing Sigstore signatures and found them to be consistent as documented and have backfilled .sigstore bundles to old versions to make adoption easier across a wide range of Python versions.

@dmitry-shibanov It would be great to see this implemented, I'm happy to provide guidance if needed.

sethmlarson avatar Nov 21 '23 19:11 sethmlarson