PEP 761: Add notes for Cosign and offline verification (#4055)
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
This commit is contained in:
parent
acf58098a1
commit
b0f655b890
peps
|
@ -207,9 +207,57 @@ During the `pre-PEP discussion <https://discuss.python.org/t/pre-pep-discussion-
|
||||||
there was a question of whether offline verification was supported by
|
there was a question of whether offline verification was supported by
|
||||||
Sigstore. Using a Sigstore bundle (:file:`.sigstore`) file, `Sigstore clients
|
Sigstore. Using a Sigstore bundle (:file:`.sigstore`) file, `Sigstore clients
|
||||||
support verifying the artifact completely offline <https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058/9>`_.
|
support verifying the artifact completely offline <https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058/9>`_.
|
||||||
When in offline mode, Sigstore can't verify whether a signature has been
|
|
||||||
revoked. This is a similar restriction to PGP key revocations not being
|
Using offline verification with Sigstore requires disabling root of trust
|
||||||
detectable during offline verification.
|
updates and "pinning" a root of trust in a file to use during verification.
|
||||||
|
|
||||||
|
Pinning a root of trust means signatures made after a *new* root of trust
|
||||||
|
is established would no longer be able to verify using a "pinned" previous
|
||||||
|
root of trust. New roots of trust are expected to be rare events, such as
|
||||||
|
when the root of trust is compromised, and in this case verifiers would
|
||||||
|
want signatures to fail to verify.
|
||||||
|
|
||||||
|
Offline verification also makes revocation checks impossible, but this
|
||||||
|
is similar to PGP's model where revocation of keys requires an online lookup.
|
||||||
|
|
||||||
|
Barring rare events like root of trust compromise, using offline verification
|
||||||
|
with Sigstore doesn't impose additional operations requirements to verifiers.
|
||||||
|
|
||||||
|
Support for a pre-compiled executable for verification
|
||||||
|
------------------------------------------------------
|
||||||
|
|
||||||
|
During discussion there were requests for a pre-compiled executable that could
|
||||||
|
be used for verifying Sigstore bundles without needing to either install
|
||||||
|
a Go build toolchain to build `sigstore-go <https://github.com/sigstore/sigstore-go>`_
|
||||||
|
from source or already have a working Python installation for
|
||||||
|
`sigstore-python <https://github.com/sigstore/sigstore-python/>`_.
|
||||||
|
|
||||||
|
`Cosign <https://github.com/sigstore/cosign/>`_ is another Sigstore project
|
||||||
|
that provides pre-compiled standalone binaries and supports verifying bundles
|
||||||
|
offline:
|
||||||
|
|
||||||
|
.. code-block::
|
||||||
|
|
||||||
|
# Download Cosign
|
||||||
|
wget https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-amd64
|
||||||
|
|
||||||
|
# For offline verification, also need the Root of Trust. Can be grabbed
|
||||||
|
# from GitHub at: https://github.com/sigstore/root-signing/blob/main/targets/trusted_root.json
|
||||||
|
wget https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/trusted_root.json
|
||||||
|
|
||||||
|
# Download CPython artifacts
|
||||||
|
wget https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tgz
|
||||||
|
wget https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tgz.sigstore
|
||||||
|
|
||||||
|
./cosign-linux-amd64 verify-blob \
|
||||||
|
--new-bundle-format \
|
||||||
|
--certificate-oidc-issuer 'https://accounts.google.com' \
|
||||||
|
--certificate-identity 'thomas@python.org' \
|
||||||
|
--bundle ./Python-3.13.0.tgz.sigstore \
|
||||||
|
# --offline and --trust-root optional for offline verification
|
||||||
|
--offline \
|
||||||
|
--trust-root ./trusted_root.json \
|
||||||
|
./Python-3.13.0.tgz
|
||||||
|
|
||||||
Copyright
|
Copyright
|
||||||
=========
|
=========
|
||||||
|
|
Loading…
Reference in New Issue