Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect information in https://www.python.org/download/sigstore/ #600

Closed
ned-deily opened this issue Apr 5, 2023 · 28 comments
Closed
Labels
bug Something isn't working

Comments

@ned-deily
Copy link

As requested on the web page, I am reporting issues with the page here, although long-term I think this page should be maintained by the Python release management team. One problem is that not all release managers use accounts.google.com as the cert-oidc-issuer so the directions given fail for 3.9, 3.8, and 3.7 releases at least. Also, the information about 3.7 releases is incorrect. Only the first sigstore signed 3.7 release was signed by [email protected]; all subsequent and future 3.7 release have been / will be signed by the 3.7 RM [email protected].

@ned-deily ned-deily added the bug Something isn't working label Apr 5, 2023
@woodruffw
Copy link
Member

woodruffw commented Apr 5, 2023

Thanks @ned-deily!

I think this falls under the discussion in #567 -- it's currently pretty easy for signers to sign with the "wrong" identity/issuer combination from a policy perspective, since sigstore-python itself (currently) has no way to limit which options are available during the federated OAuth flow.

Apart from fixing the documentation on https://python.org, we probably need a way for the sigstore CLI to accept more complex verification policies (e.g. of multiple identities ORed together). That functionality is present in the underlying sigstore-python APIs, but we don't currently have a clean way to expose it to the CLI.

@woodruffw woodruffw changed the title Incorrect information in https://www.python.org/download/sigstore/ Incorrect information in https://www.python.org/download/sigstore/ Apr 5, 2023
@di
Copy link
Member

di commented Apr 10, 2023

Thanks @ned-deily. We have a few options short term to get the docs up to date:

  • we make sure everyone uses the same IdP in the future and re-sign any release that isn't signed with the right identity -- this can include the 3.7 release that you didn't sign; or:
  • we update the verification steps to include a matrix of artifact x identity + IdP

I think I would prefer the first option because it would make the verification steps simpler for consumers, but this would be at the cost of some one-time work for the release managers. Curious for your thoughts!

@di
Copy link
Member

di commented Jul 13, 2023

Looping in @sethmlarson here, as he should probably be the primary owner of this page going forward.

(Also, sigstore/sig-clients#7 is likely relevant here as well.)

@sethmlarson
Copy link
Contributor

I went through all the Python releases and attempted Sigstore verification as is documented on the release page like so:

$ python -m sigstore verify identity \
  --certificate {filename}.crt \
  --signature {filename}.sig \
  --cert-identity {release_manager} \
  --cert-oidc-issuer https://accounts.google.com \
  {filename}

or

$ python -m sigstore verify identity \
  --bundle {filename}.sigstore \
  --cert-identity {release_manager} \
  --cert-oidc-issuer https://accounts.google.com \
  {filename}

Here are the results:

Artifact Method Documented RM Verified? Reason
Python-3.7.14.tar.xz .sig+.crt [email protected] FAIL Certificate's SANs do not match [email protected]; actual SANs: {'[email protected]'}
Python-3.7.14.tgz .sig+.crt [email protected] FAIL Certificate's SANs do not match [email protected]; actual SANs: {'[email protected]'}
Python-3.7.15.tar.xz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.7.15.tgz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.7.16.tar.xz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.7.16.tgz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.7.17.tar.xz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.7.17.tar.xz .sigstore [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.7.17.tgz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.7.17.tgz .sigstore [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.8.0a1.tar.xz N/A [email protected] N/A
Python-3.8.0a1.tgz N/A [email protected] N/A
Python-3.8.0a2.tar.xz N/A [email protected] N/A
Python-3.8.0a2.tgz N/A [email protected] N/A
Python-3.8.0a3.tar.xz N/A [email protected] N/A
Python-3.8.0a3.tgz N/A [email protected] N/A
Python-3.8.0a4.tar.xz N/A [email protected] N/A
Python-3.8.0a4.tgz N/A [email protected] N/A
Python-3.8.0b1.tar.xz N/A [email protected] N/A
Python-3.8.0b1.tgz N/A [email protected] N/A
Python-3.8.0b2.tar.xz N/A [email protected] N/A
Python-3.8.0b2.tgz N/A [email protected] N/A
Python-3.8.0b3.tar.xz N/A [email protected] N/A
Python-3.8.0b3.tgz N/A [email protected] N/A
Python-3.8.0b4.tar.xz N/A [email protected] N/A
Python-3.8.0b4.tgz N/A [email protected] N/A
Python-3.8.0rc1.tar.xz N/A [email protected] N/A
Python-3.8.0rc1.tgz N/A [email protected] N/A
Python-3.8.0.tar.xz N/A [email protected] N/A
Python-3.8.0.tgz N/A [email protected] N/A
Python-3.8.1rc1.tar.xz N/A [email protected] N/A
Python-3.8.1rc1.tgz N/A [email protected] N/A
Python-3.8.1.tar.xz N/A [email protected] N/A
Python-3.8.1.tgz N/A [email protected] N/A
Python-3.8.2rc1.tar.xz N/A [email protected] N/A
Python-3.8.2rc1.tgz N/A [email protected] N/A
Python-3.8.2rc2.tar.xz N/A [email protected] N/A
Python-3.8.2rc2.tgz N/A [email protected] N/A
Python-3.8.2.tar.xz N/A [email protected] N/A
Python-3.8.2.tgz N/A [email protected] N/A
Python-3.8.3rc1.tar.xz N/A [email protected] N/A
Python-3.8.3rc1.tgz N/A [email protected] N/A
Python-3.8.3.tar.xz N/A [email protected] N/A
Python-3.8.3.tgz N/A [email protected] N/A
Python-3.8.4rc1.tar.xz N/A [email protected] N/A
Python-3.8.4rc1.tgz N/A [email protected] N/A
Python-3.8.4.tar.xz N/A [email protected] N/A
Python-3.8.4.tgz N/A [email protected] N/A
Python-3.8.5.tar.xz N/A [email protected] N/A
Python-3.8.5.tgz N/A [email protected] N/A
Python-3.8.6rc1.tar.xz N/A [email protected] N/A
Python-3.8.6rc1.tgz N/A [email protected] N/A
Python-3.8.6.tar.xz N/A [email protected] N/A
Python-3.8.6.tgz N/A [email protected] N/A
Python-3.8.7rc1.tar.xz N/A [email protected] N/A
Python-3.8.7rc1.tgz N/A [email protected] N/A
Python-3.8.7.tar.xz N/A [email protected] N/A
Python-3.8.7.tgz N/A [email protected] N/A
Python-3.8.8rc1.tar.xz N/A [email protected] N/A
Python-3.8.8rc1.tgz N/A [email protected] N/A
Python-3.8.8.tar.xz N/A [email protected] N/A
Python-3.8.8.tgz N/A [email protected] N/A
Python-3.8.9.tar.xz N/A [email protected] N/A
Python-3.8.9.tgz N/A [email protected] N/A
Python-3.8.10.tar.xz N/A [email protected] N/A
Python-3.8.10.tgz N/A [email protected] N/A
Python-3.8.11.tar.xz N/A [email protected] N/A
Python-3.8.11.tgz N/A [email protected] N/A
Python-3.8.12.tar.xz N/A [email protected] N/A
Python-3.8.12.tgz N/A [email protected] N/A
Python-3.8.13.tar.xz N/A [email protected] N/A
Python-3.8.13.tgz N/A [email protected] N/A
Python-3.8.14.tar.xz N/A [email protected] N/A
Python-3.8.14.tgz N/A [email protected] N/A
Python-3.8.15.tar.xz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.8.15.tgz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.8.16.tar.xz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.8.16.tgz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.8.17.tar.xz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.8.17.tar.xz .sigstore [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.8.17.tgz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.8.17.tgz .sigstore [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.9.0a1.tar.xz N/A [email protected] N/A
Python-3.9.0a1.tgz N/A [email protected] N/A
Python-3.9.0a2.tar.xz N/A [email protected] N/A
Python-3.9.0a2.tgz N/A [email protected] N/A
Python-3.9.0a3.tar.xz N/A [email protected] N/A
Python-3.9.0a3.tgz N/A [email protected] N/A
Python-3.9.0a4.tar.xz N/A [email protected] N/A
Python-3.9.0a4.tgz N/A [email protected] N/A
Python-3.9.0a5.tar.xz N/A [email protected] N/A
Python-3.9.0a5.tgz N/A [email protected] N/A
Python-3.9.0a6.tar.xz N/A [email protected] N/A
Python-3.9.0a6.tgz N/A [email protected] N/A
Python-3.9.0b1.tar.xz N/A [email protected] N/A
Python-3.9.0b1.tgz N/A [email protected] N/A
Python-3.9.0b2.tar.xz N/A [email protected] N/A
Python-3.9.0b2.tgz N/A [email protected] N/A
Python-3.9.0b3.tar.xz N/A [email protected] N/A
Python-3.9.0b3.tgz N/A [email protected] N/A
Python-3.9.0b4.tar.xz N/A [email protected] N/A
Python-3.9.0b4.tgz N/A [email protected] N/A
Python-3.9.0b5.tar.xz N/A [email protected] N/A
Python-3.9.0b5.tgz N/A [email protected] N/A
Python-3.9.0rc1.tar.xz N/A [email protected] N/A
Python-3.9.0rc1.tgz N/A [email protected] N/A
Python-3.9.0rc2.tar.xz N/A [email protected] N/A
Python-3.9.0rc2.tgz N/A [email protected] N/A
Python-3.9.0.tar.xz N/A [email protected] N/A
Python-3.9.0.tgz N/A [email protected] N/A
Python-3.9.1rc1.tar.xz N/A [email protected] N/A
Python-3.9.1rc1.tgz N/A [email protected] N/A
Python-3.9.1.tar.xz N/A [email protected] N/A
Python-3.9.1.tgz N/A [email protected] N/A
Python-3.9.2rc1.tar.xz N/A [email protected] N/A
Python-3.9.2rc1.tgz N/A [email protected] N/A
Python-3.9.2.tar.xz N/A [email protected] N/A
Python-3.9.2.tgz N/A [email protected] N/A
Python-3.9.3.tar.xz N/A [email protected] N/A
Python-3.9.3.tgz N/A [email protected] N/A
Python-3.9.4.tar.xz N/A [email protected] N/A
Python-3.9.4.tgz N/A [email protected] N/A
Python-3.9.5.tar.xz N/A [email protected] N/A
Python-3.9.5.tgz N/A [email protected] N/A
Python-3.9.6.tar.xz N/A [email protected] N/A
Python-3.9.6.tgz N/A [email protected] N/A
Python-3.9.7.tar.xz N/A [email protected] N/A
Python-3.9.7.tgz N/A [email protected] N/A
Python-3.9.8.tar.xz N/A [email protected] N/A
Python-3.9.8.tgz N/A [email protected] N/A
Python-3.9.9.tar.xz N/A [email protected] N/A
Python-3.9.9.tgz N/A [email protected] N/A
Python-3.9.10.tar.xz N/A [email protected] N/A
Python-3.9.10.tgz N/A [email protected] N/A
Python-3.9.11.tar.xz N/A [email protected] N/A
Python-3.9.11.tgz N/A [email protected] N/A
Python-3.9.12.tar.xz N/A [email protected] N/A
Python-3.9.12.tgz N/A [email protected] N/A
Python-3.9.13.tar.xz N/A [email protected] N/A
Python-3.9.13.tgz N/A [email protected] N/A
Python-3.9.14.tar.xz N/A [email protected] N/A
Python-3.9.14.tgz N/A [email protected] N/A
Python-3.9.15.tar.xz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.9.15.tgz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.9.16.tar.xz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.9.16.tgz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.9.17.tar.xz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.9.17.tar.xz .sigstore [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.9.17.tgz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.9.17.tgz .sigstore [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.10.0a1.tar.xz N/A [email protected] N/A
Python-3.10.0a1.tgz N/A [email protected] N/A
Python-3.10.0a2.tar.xz N/A [email protected] N/A
Python-3.10.0a2.tgz N/A [email protected] N/A
Python-3.10.0a3.tar.xz N/A [email protected] N/A
Python-3.10.0a3.tgz N/A [email protected] N/A
Python-3.10.0a4.tar.xz N/A [email protected] N/A
Python-3.10.0a4.tgz N/A [email protected] N/A
Python-3.10.0a5.tar.xz N/A [email protected] N/A
Python-3.10.0a5.tgz N/A [email protected] N/A
Python-3.10.0a6.tar.xz N/A [email protected] N/A
Python-3.10.0a6.tgz N/A [email protected] N/A
Python-3.10.0a7.tar.xz N/A [email protected] N/A
Python-3.10.0a7.tgz N/A [email protected] N/A
Python-3.10.0b1.tar.xz N/A [email protected] N/A
Python-3.10.0b1.tgz N/A [email protected] N/A
Python-3.10.0b2.tar.xz N/A [email protected] N/A
Python-3.10.0b2.tgz N/A [email protected] N/A
Python-3.10.0b3.tar.xz N/A [email protected] N/A
Python-3.10.0b3.tgz N/A [email protected] N/A
Python-3.10.0b4.tar.xz N/A [email protected] N/A
Python-3.10.0b4.tgz N/A [email protected] N/A
Python-3.10.0rc1.tar.xz N/A [email protected] N/A
Python-3.10.0rc1.tgz N/A [email protected] N/A
Python-3.10.0rc2.tar.xz N/A [email protected] N/A
Python-3.10.0rc2.tgz N/A [email protected] N/A
Python-3.10.0.tar.xz N/A [email protected] N/A
Python-3.10.0.tgz N/A [email protected] N/A
Python-3.10.1.tar.xz .sig+.crt [email protected] PASS
Python-3.10.1.tar.xz .sigstore [email protected] PASS
Python-3.10.1.tgz .sig+.crt [email protected] PASS
Python-3.10.1.tgz .sigstore [email protected] PASS
Python-3.10.2.tar.xz N/A [email protected] N/A
Python-3.10.2.tgz N/A [email protected] N/A
Python-3.10.3.tar.xz N/A [email protected] N/A
Python-3.10.3.tgz N/A [email protected] N/A
Python-3.10.4.tar.xz N/A [email protected] N/A
Python-3.10.4.tgz N/A [email protected] N/A
Python-3.10.5.tar.xz N/A [email protected] N/A
Python-3.10.5.tgz N/A [email protected] N/A
Python-3.10.6.tar.xz N/A [email protected] N/A
Python-3.10.6.tgz N/A [email protected] N/A
Python-3.10.7.tar.xz .sig+.crt [email protected] PASS
Python-3.10.7.tgz .sig+.crt [email protected] PASS
Python-3.10.8.tar.xz .sig+.crt [email protected] PASS
Python-3.10.8.tgz .sig+.crt [email protected] PASS
Python-3.10.9.tar.xz .sig+.crt [email protected] PASS
Python-3.10.9.tgz .sig+.crt [email protected] PASS
Python-3.10.10.tar.xz .sig+.crt [email protected] PASS
Python-3.10.10.tgz .sig+.crt [email protected] PASS
Python-3.10.11.tar.xz .sig+.crt [email protected] PASS
Python-3.10.11.tar.xz .sigstore [email protected] PASS
Python-3.10.11.tgz .sig+.crt [email protected] PASS
Python-3.10.11.tgz .sigstore [email protected] PASS
Python-3.10.12.tar.xz .sig+.crt [email protected] PASS
Python-3.10.12.tar.xz .sigstore [email protected] PASS
Python-3.10.12.tgz .sig+.crt [email protected] PASS
Python-3.10.12.tgz .sigstore [email protected] PASS
Python-3.11.0a1.tar.xz N/A [email protected] N/A
Python-3.11.0a1.tgz N/A [email protected] N/A
Python-3.11.0a2.tar.xz N/A [email protected] N/A
Python-3.11.0a2.tgz N/A [email protected] N/A
Python-3.11.0a3.tar.xz N/A [email protected] N/A
Python-3.11.0a3.tgz N/A [email protected] N/A
Python-3.11.0a4.tar.xz N/A [email protected] N/A
Python-3.11.0a4.tgz N/A [email protected] N/A
Python-3.11.0a5.tar.xz N/A [email protected] N/A
Python-3.11.0a5.tgz N/A [email protected] N/A
Python-3.11.0a6.tar.xz N/A [email protected] N/A
Python-3.11.0a6.tgz N/A [email protected] N/A
Python-3.11.0a7.tar.xz N/A [email protected] N/A
Python-3.11.0a7.tgz N/A [email protected] N/A
Python-3.11.0b1.tar.xz N/A [email protected] N/A
Python-3.11.0b1.tgz N/A [email protected] N/A
Python-3.11.0b2.tar.xz N/A [email protected] N/A
Python-3.11.0b2.tgz N/A [email protected] N/A
Python-3.11.0b3.tar.xz N/A [email protected] N/A
Python-3.11.0b3.tgz N/A [email protected] N/A
Python-3.11.0b4.tar.xz N/A [email protected] N/A
Python-3.11.0b4.tgz N/A [email protected] N/A
Python-3.11.0b5.tar.xz N/A [email protected] N/A
Python-3.11.0b5.tgz N/A [email protected] N/A
Python-3.11.0rc1.tar.xz N/A [email protected] N/A
Python-3.11.0rc1.tgz N/A [email protected] N/A
Python-3.11.0rc2.tar.xz .sig+.crt [email protected] PASS
Python-3.11.0rc2.tgz .sig+.crt [email protected] PASS
Python-3.11.0.tar.xz .sig+.crt [email protected] PASS
Python-3.11.0.tgz .sig+.crt [email protected] PASS
Python-3.11.1.tar.xz .sig+.crt [email protected] PASS
Python-3.11.1.tgz .sig+.crt [email protected] PASS
Python-3.11.2.tar.xz .sig+.crt [email protected] PASS
Python-3.11.2.tgz .sig+.crt [email protected] PASS
Python-3.11.3.tar.xz .sig+.crt [email protected] PASS
Python-3.11.3.tar.xz .sigstore [email protected] PASS
Python-3.11.3.tgz .sig+.crt [email protected] PASS
Python-3.11.3.tgz .sigstore [email protected] PASS
Python-3.11.4.tar.xz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.11.4.tar.xz .sigstore [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.11.4.tgz .sig+.crt [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.11.4.tgz .sigstore [email protected] FAIL Certificate's OIDCIssuer does not match (got https://github.com/login/oauth, expected https://accounts.google.com)
Python-3.12.0a1.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0a1.tgz .sig+.crt [email protected] PASS
Python-3.12.0a2.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0a2.tgz .sig+.crt [email protected] PASS
Python-3.12.0a3.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0a3.tgz .sig+.crt [email protected] PASS
Python-3.12.0a4.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0a4.tgz .sig+.crt [email protected] PASS
Python-3.12.0a5.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0a5.tgz .sig+.crt [email protected] PASS
Python-3.12.0a6.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0a6.tgz .sig+.crt [email protected] PASS
Python-3.12.0a7.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0a7.tar.xz .sigstore [email protected] PASS
Python-3.12.0a7.tgz .sig+.crt [email protected] PASS
Python-3.12.0a7.tgz .sigstore [email protected] PASS
Python-3.12.0b1.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0b1.tar.xz .sigstore [email protected] PASS
Python-3.12.0b1.tgz .sig+.crt [email protected] PASS
Python-3.12.0b1.tgz .sigstore [email protected] PASS
Python-3.12.0b2.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0b2.tar.xz .sigstore [email protected] PASS
Python-3.12.0b2.tgz .sig+.crt [email protected] PASS
Python-3.12.0b2.tgz .sigstore [email protected] PASS
Python-3.12.0b3.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0b3.tar.xz .sigstore [email protected] PASS
Python-3.12.0b3.tgz .sig+.crt [email protected] PASS
Python-3.12.0b3.tgz .sigstore [email protected] PASS
Python-3.12.0b4.tar.xz .sig+.crt [email protected] PASS
Python-3.12.0b4.tar.xz .sigstore [email protected] PASS
Python-3.12.0b4.tgz .sig+.crt [email protected] PASS
Python-3.12.0b4.tgz .sigstore [email protected] PASS

Looking at the results I see a few things:

  • We're missing Sigstore signing for Python 3.10.0 and 3.10.2-3.10.6
  • We started signing pre-releases in 3.11.0rc2
  • Ned and Lukasz used GitHub for all signings, Pablo used GitHub for some signings

My questions for next steps are:

  • Should we always used Google IdP for Sigstore signing for python.org addresses (my thought is probably? Simplifies verification for users to only use one IdP)
  • Should we make a policy of signing pre-releases (My thought is yes)
  • What needs to be done for sigstore sig/crt/sigstore files be updated in-place at downloads.python.org for existing releases (assuming that's possible)? Probably some blog post so we have something official to point folks to when their signatures change?

@ned-deily
Copy link
Author

The other release managers (Thomas, Pablo, and Łukasz) should be part of this discussion since we have had some discussions about this at PyCon and on email. But I don't seem to be able to add them here.

@sethmlarson
Copy link
Contributor

cc @Yhg1s @pablogsal @ambv

@ned-deily
Copy link
Author

FWIW, I wasn't keen on adding yet another identity (the google.com one) to the release process since I was already using the GitHub identity elsewhere. And the 3.7.14 signing by Pablo was a one-time expediting action; the artifacts could be re-signed.

@sethmlarson
Copy link
Contributor

sethmlarson commented Jul 14, 2023

Since Python 3.7 is EOL at this point too, there's an additional decision about whether we want to touch those releases at all anymore?

If we decided to only rollout fixes for 3.8 and beyond the concrete steps per person would look like this (assuming we do want to use accounts.google.com uniformly as our IdP):

  • @ambv: Resign all the releases (6 total) with the Google IdP
  • @pablogsal: Resign 3.11.4 with the Google IdP

Then I would take it as an action to add a verification step to python/release-tools to verify that the signatures work as we're documenting on the release page. If we decide to go this way I can put together a short script for both @ambv and @pablogsal to download, hash, and then resign and they can ship back the resulting signatures to me to be published all at once. If we do want to fix the signatures for 3.7 I can also create a script for you @ned-deily to run on the relevant releases.

While this is happening I can prepare the communications announcing this fix to release signatures.

@di
Copy link
Member

di commented Jul 14, 2023

Should we always used Google IdP for Sigstore signing for python.org addresses (my thought is probably? Simplifies verification for users to only use one IdP)

Note that now that #567 is resolved, we can enforce the IdP at signing time, but sounds like exclusively using the Google IdP is a non-starter for @ned-deily IIUC.

Until sigstore/sig-clients#7 is resolved, and there is a way for clients to define a policy for what (identity, issuer) pair is valid, I think the best we can do is provide a table of (identity, issuer) pairs for all signers.

One alternative that was discussed was creating a new, shared identity between all the release managers (this could be on any of the identity providers) so verification is simplified, and this doesn't require individual release managers to sign.

@sethmlarson
Copy link
Contributor

I think the best we can do is provide a table of (identity, issuer) pairs for all signers.

Happy to go this route too, for this case we'd have 3.7.14 resigned by @ned-deily and (3.10.0, 3.10.2-3.10.6, and 3.11.4) signed by @pablogsal with Google IdP (assuming you want to use Google going forward Pablo). Can capture these in the release-tool just as well.

@pablogsal
Copy link

(assuming you want to use Google going forward Pablo)

Yup. This is the one I have always used. I am a bit surprised there are mismatches here because I have always used the google one with [email protected]

@ned-deily
Copy link
Author

I've regenerated the sigstore files for 3.7.14 to use [email protected] and GitHub like subsequent 3.7.x releases and added a note to the 3.7.14 release page that the sigstore files were updated today while the release tarballs were unchanged.

@sethmlarson
Copy link
Contributor

Thanks @ned-deily! @pablogsal if you can resign the releases I noted with the Google IdP I can update the table for the sigstore page with identity providers for each RM.

@pablogsal
Copy link

I have re-signed Python 3.11.4 as requested. Can you check that everything looks good?

@sethmlarson
Copy link
Contributor

@pablogsal I'm not seeing the updated .sig,.crt, and .sigstore files available on downloads.python.org, have you provided them through a different means?

@pablogsal
Copy link

I think we need to purge the CDN cache

@pablogsal
Copy link

I think I successfully purged the cache, can you take another look? I am basically running:

curl -X PURGE https://www.python.org/ftp/python/3.11.4/Python-3.11.4.tgz.asc

@sethmlarson
Copy link
Contributor

Also noting here that I noticed that the 3.8.14 and 3.9.14 signature and certificate files weren't available for download due to permission errors, @ambv has fixed this issue and I've verified that those files are now available.

@ned-deily I'm seeing a signature verification error for Python-3.7.14.tgz when verifying with .sig and .crt (the .sigstore bundle appears to work just fine). I'll dig into the issue more.

@pablogsal I'm seeing updated files for the .sigstore bundles but not for the .sig and .crt files:

Old:

$ sha256sum downloads-old/Python-3.11.4*{crt,sig,sigstore}

aa32ba9bb10e6e49abf516ae72c218fcfcb39d966280277ebbe91591d341c41a  downloads-old/Python-3.11.4.tar.xz.crt
a479a739ed25fa50ceeb80757082eb9c9a1dc241fa8168e4278de690b0bb3c0e  downloads-old/Python-3.11.4.tgz.crt
872e8038810dd6781944e3242bb3ddb5e02a55bd6a0cc700449d6f72b0216824  downloads-old/Python-3.11.4.tar.xz.sig
2a364beee10534729ac0859ef9bbc6ad2fec030f246b32b341e0fd832deee7a6  downloads-old/Python-3.11.4.tgz.sig
5ffe1b7e8c4561fbac1900139054e91748f0f54bb376af1c14b0de7d71819225  downloads-old/Python-3.11.4.tar.xz.sigstore
549e12b7ee26dbffdba2bed9b7c8c72535094a98f9f17f7d4635a1bb1b684784  downloads-old/Python-3.11.4.tgz.sigstore

New:

$ sha256sum downloads/Python-3.11.4*{crt,sig,sigstore}

aa32ba9bb10e6e49abf516ae72c218fcfcb39d966280277ebbe91591d341c41a  downloads/Python-3.11.4.tar.xz.crt
a479a739ed25fa50ceeb80757082eb9c9a1dc241fa8168e4278de690b0bb3c0e  downloads/Python-3.11.4.tgz.crt
872e8038810dd6781944e3242bb3ddb5e02a55bd6a0cc700449d6f72b0216824  downloads/Python-3.11.4.tar.xz.sig
2a364beee10534729ac0859ef9bbc6ad2fec030f246b32b341e0fd832deee7a6  downloads/Python-3.11.4.tgz.sig
89e24ae09f9eeb2728dadac20606e42140e13902599e4356287585281906b746  downloads/Python-3.11.4.tar.xz.sigstore
bbc79df4f88917ebac945492ede002f376daab43c41052db490d2d3b42e38f52  downloads/Python-3.11.4.tgz.sigstore

@pablogsal
Copy link

Hummmm, I think I have done it correctly now:

ebb296017190267738003694a7b7a020da285624849d25eb6ba57897b66c48c6  Python-3.11.4.tar.xz.crt
82d6eee7e0f2251bdd1729488e983508844886801a3301db59f9c4a78f1ab9aa  Python-3.11.4.tgz.crt
ad18286a56ab6ec44a5e9ef14c5d93847a0fe3b097908bc0fa3e2530762cf1e4  Python-3.11.4.tar.xz.sig
ed054f85e43f28886c509673139b26490d90e8c4f422a51796d8f1ae5bf89267  Python-3.11.4.tgz.sig
89e24ae09f9eeb2728dadac20606e42140e13902599e4356287585281906b746  Python-3.11.4.tar.xz.sigstore
bbc79df4f88917ebac945492ede002f376daab43c41052db490d2d3b42e38f52  Python-3.11.4.tgz.sigstore

@ned-deily
Copy link
Author

I'm seeing a signature verification error for Python-3.7.14.tgz when verifying with .sig and .crt (the .sigstore bundle appears to work just fine). I'll dig into the issue more.

@sethmlarson, I believe that was due to a CDN caching issue: the old files weren't purged during the update and I didn't bother testing the old-style .crt and .sig files, just the newer .sigstore bundle. If you try again, it should be OK now. Sorry about that!

@sethmlarson
Copy link
Contributor

@ned-deily That makes total sense, I've redownloaded the files again and indeed they're working now :) Thank you much!

@sethmlarson
Copy link
Contributor

sethmlarson commented Jul 17, 2023

Okay, I've verified both @ned-deily and @pablogsal's signatures and they are all in order. I've published all the data to this GitHub repository and you can see the delta I observed for today at this commit.

The last outstanding item is that @ambv's certificates are using the identity [email protected]. I myself wasn't able to find an option for specifying a specific identity using GitHub, it seems to always use the primary email address on the account. Maybe @di or @woodruffw have run into this and know a solution already, otherwise I'll ask around.

@di
Copy link
Member

di commented Jul 17, 2023

I myself wasn't able to find an option for specifying a specific identity using GitHub, it seems to always use the primary email address on the account. Maybe @di or @woodruffw have run into this and know a solution already, otherwise I'll ask around.

There is no such option and this is the major downside of using GitHub as the IdP.

@sethmlarson
Copy link
Contributor

I've created a PR for release-tools that will keep the release manager identity+provider combinations consistent for now: python/release-tools#51

There is no such option and this is the major downside of using GitHub as the IdP.

That's unfortunate, @ambv we can discuss options once you've returned from EuroPython.

@woodruffw
Copy link
Member

woodruffw commented Jul 17, 2023

There is no such option and this is the major downside of using GitHub as the IdP.

Yep -- ideally GitHub would use a "username" identity type here rather than returning the primary email associated with the account, but I suspect that they can't do that with their primary IdP without breaking a whole bunch of stuff...

@sethmlarson
Copy link
Contributor

@ambv Has updated the Sigstore documentation page with the correct identity and provider, we decided against resigning the artifacts because @ambv's @python.org email address is an alias so we can't use the Google IdP.

@sethmlarson
Copy link
Contributor

@ambv and I merged, tested and fixed the PR which enforces the historical (identity X provider) combination on signed release artifacts so now future releases are guaranteed to have the correct configuration. Thanks @ambv! I believe this issue can now be closed.

@woodruffw
Copy link
Member

Glad to hear it! Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

5 participants