PEP 761: Add notes for Cosign and offline verification (#4055)
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
This commit is contained in:
parent
acf58098a1
commit
b0f655b890
|
@ -207,9 +207,57 @@ During the `pre-PEP discussion <https://discuss.python.org/t/pre-pep-discussion-
|
|||
there was a question of whether offline verification was supported by
|
||||
Sigstore. Using a Sigstore bundle (:file:`.sigstore`) file, `Sigstore clients
|
||||
support verifying the artifact completely offline <https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058/9>`_.
|
||||
When in offline mode, Sigstore can't verify whether a signature has been
|
||||
revoked. This is a similar restriction to PGP key revocations not being
|
||||
detectable during offline verification.
|
||||
|
||||
Using offline verification with Sigstore requires disabling root of trust
|
||||
updates and "pinning" a root of trust in a file to use during verification.
|
||||
|
||||
Pinning a root of trust means signatures made after a *new* root of trust
|
||||
is established would no longer be able to verify using a "pinned" previous
|
||||
root of trust. New roots of trust are expected to be rare events, such as
|
||||
when the root of trust is compromised, and in this case verifiers would
|
||||
want signatures to fail to verify.
|
||||
|
||||
Offline verification also makes revocation checks impossible, but this
|
||||
is similar to PGP's model where revocation of keys requires an online lookup.
|
||||
|
||||
Barring rare events like root of trust compromise, using offline verification
|
||||
with Sigstore doesn't impose additional operations requirements to verifiers.
|
||||
|
||||
Support for a pre-compiled executable for verification
|
||||
------------------------------------------------------
|
||||
|
||||
During discussion there were requests for a pre-compiled executable that could
|
||||
be used for verifying Sigstore bundles without needing to either install
|
||||
a Go build toolchain to build `sigstore-go <https://github.com/sigstore/sigstore-go>`_
|
||||
from source or already have a working Python installation for
|
||||
`sigstore-python <https://github.com/sigstore/sigstore-python/>`_.
|
||||
|
||||
`Cosign <https://github.com/sigstore/cosign/>`_ is another Sigstore project
|
||||
that provides pre-compiled standalone binaries and supports verifying bundles
|
||||
offline:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# Download Cosign
|
||||
wget https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-amd64
|
||||
|
||||
# For offline verification, also need the Root of Trust. Can be grabbed
|
||||
# from GitHub at: https://github.com/sigstore/root-signing/blob/main/targets/trusted_root.json
|
||||
wget https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/trusted_root.json
|
||||
|
||||
# Download CPython artifacts
|
||||
wget https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tgz
|
||||
wget https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tgz.sigstore
|
||||
|
||||
./cosign-linux-amd64 verify-blob \
|
||||
--new-bundle-format \
|
||||
--certificate-oidc-issuer 'https://accounts.google.com' \
|
||||
--certificate-identity 'thomas@python.org' \
|
||||
--bundle ./Python-3.13.0.tgz.sigstore \
|
||||
# --offline and --trust-root optional for offline verification
|
||||
--offline \
|
||||
--trust-root ./trusted_root.json \
|
||||
./Python-3.13.0.tgz
|
||||
|
||||
Copyright
|
||||
=========
|
||||
|
|
Loading…
Reference in New Issue