python
Security information on the Downloads page needs to be updated to include sigstore and code signing info
There is information related to user verification of Python release artifacts downloaded from python.org on the website Downloads page. Originally this info was about PGP keys and was later to expanded to include a bit about macOS installer certificates. With the introduction of sigstore signing to releases, this section of the page should be renamed and updated to emphasize sigstore validation, de-emphasize PGP keys, and also include information about signing of Windows release artifacts.
(The current information is maintained in the python.org admin CMS in the downloads-pgp box in the Boxes section.)
I'm going to take the liberty of assigning this to @sethmlarson and cc the release managers @python/release-managers-in-development-maintenance-and-security-mode and @di.
When this gets updated, can we have the following (subject to any changes in later discussion) added for Windows:
Windows
The Windows installers and all binaries produced as part of each Python release are signed using an Authenticode signing certificate issued to the Python Software Foundation. This can be verified by viewing the properties of any executable file, looking at the Digital Signatures tab, and confirming the name of the signer. The current certificate has a thumbprint of 36168ee17c1a240517388540c903bb6717dd2563.
Note that some executables may not be signed, notably, the default pip command. These are not built as part of Python, but are included from third-party libraries. Files that are intended to be modified before use cannot be signed and so will not have a signature.
FWIW, we're going to flip over to Azure Trusted Signing soon instead of DigiCert, which is going to impact the above text. I'll need a week or two to figure out exactly what it should say - ATS does things a bit different from how signing certs have historically worked, and it'll need some explaining.