Use GitHub's new artifact attestation tools to put signatures in sigstore? #160
Description
GitHub recently released some fancy new “artifact attestation” actions that integrate with sigstore: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
If I understand correctly, these go into Sigstore’s public transparency log (since we are a public and not private project), which gives us nice, verifiable signatures for our sdists and wheels. (GitHub’s post talks about using the gh GitHub client to verify signatures, but again, IIUC, we should also be able to use cosign or other verfiers, too — this doesn’t seem super worthwhile if those don’t also work.)
There is also sigstore/gh-action-sigstore-python as documented over at PyPA: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#signing-the-distribution-packages . I suspect the new GitHub thing will probably include some more valuable metadata or add new stuff to the GitHub UI, but it’s also possible these are completely equivalent for [public] use case.
Seems worth implementing, or at least investigating further, since it looks pretty simple to do.