Use sigstore for Python artifact verification (#303)

cdce8p · web-flow · commit 5fec57b76eb9 · 2025-06-10T17:05:49.000+02:00
* Use sigstore for Python artifact verification

* Fix dockerfile warning

* Install cosign 2.4.1 or later
diff --git a/python/3.11/Dockerfile b/python/3.11/Dockerfile
@@ -4,11 +4,12 @@ FROM $BUILD_FROM
 ARG \
     PYTHON_VERSION \
     PIP_VERSION \
-    GPG_KEY \
+    CERT_IDENTITY \
+    CERT_OIDC_ISSUER \
     QEMU_CPU
 
 # ensure local python is preferred over distribution python
-ENV PATH /usr/local/bin:$PATH
+ENV PATH=/usr/local/bin:$PATH
 
 # Set shell
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
@@ -17,19 +18,20 @@ COPY *.patch /usr/src/
 RUN set -ex \
     && export PYTHON_VERSION=${PYTHON_VERSION} \
     && apk add --no-cache --virtual .fetch-deps \
-        gnupg \
         openssl \
         tar \
         xz \
+    && apk add --no-cache --virtual .cosign cosign \
+        --repository="https://dl-cdn.alpinelinux.org/alpine/v3.21/community" \
     \
     && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \
-    && curl -L -o python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \
-    && export GNUPGHOME="$(mktemp -d)" \
-    && echo "disable-ipv6" >> "$GNUPGHOME/dirmngr.conf" \
-    && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "${GPG_KEY}" \
-    && gpg --batch --verify python.tar.xz.asc python.tar.xz \
-    && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
-    && rm -rf "$GNUPGHOME" python.tar.xz.asc \
+    && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \
+    && cosign verify-blob \
+        --new-bundle-format \
+        --certificate-identity "${CERT_IDENTITY}" \
+        --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \
+        --bundle python.tar.xz.sigstore \
+        python.tar.xz \
     && mkdir -p /usr/src/python \
     && tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \
     && rm python.tar.xz \
@@ -63,7 +65,7 @@ RUN set -ex \
         zlib-dev \
         bluez-dev \
     # add build deps before removing fetch deps in case there's overlap
-    && apk del .fetch-deps \
+    && apk del .fetch-deps .cosign \
     \
     && for i in /usr/src/*.patch; do \
         patch -d /usr/src/python -p 1 < "${i}"; done \
diff --git a/python/3.11/build.yaml b/python/3.11/build.yaml
@@ -11,7 +11,8 @@ cosign:
 args:
   PYTHON_VERSION: 3.11.13
   PIP_VERSION: 25.1.1
-  GPG_KEY: A035C8C19219BA821ECEA86B64E628F8D684696D
+  CERT_IDENTITY: pablogsal@python.org
+  CERT_OIDC_ISSUER: https://accounts.google.com
 labels:
   io.hass.base.name: python
   org.opencontainers.image.source: https://github.com/home-assistant/docker-base
diff --git a/python/3.12/Dockerfile b/python/3.12/Dockerfile
@@ -4,11 +4,12 @@ FROM $BUILD_FROM
 ARG \
     PYTHON_VERSION \
     PIP_VERSION \
-    GPG_KEY \
+    CERT_IDENTITY \
+    CERT_OIDC_ISSUER \
     QEMU_CPU
 
 # ensure local python is preferred over distribution python
-ENV PATH /usr/local/bin:$PATH
+ENV PATH=/usr/local/bin:$PATH
 
 # Set shell
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
@@ -17,19 +18,20 @@ COPY *.patch /usr/src/
 RUN set -ex \
     && export PYTHON_VERSION=${PYTHON_VERSION} \
     && apk add --no-cache --virtual .fetch-deps \
-        gnupg \
         openssl \
         tar \
         xz \
+    && apk add --no-cache --virtual .cosign cosign \
+        --repository="https://dl-cdn.alpinelinux.org/alpine/v3.21/community" \
     \
     && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \
-    && curl -L -o python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \
-    && export GNUPGHOME="$(mktemp -d)" \
-    && echo "disable-ipv6" >> "$GNUPGHOME/dirmngr.conf" \
-    && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "${GPG_KEY}" \
-    && gpg --batch --verify python.tar.xz.asc python.tar.xz \
-    && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
-    && rm -rf "$GNUPGHOME" python.tar.xz.asc \
+    && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \
+    && cosign verify-blob \
+        --new-bundle-format \
+        --certificate-identity "${CERT_IDENTITY}" \
+        --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \
+        --bundle python.tar.xz.sigstore \
+        python.tar.xz \
     && mkdir -p /usr/src/python \
     && tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \
     && rm python.tar.xz \
@@ -63,7 +65,7 @@ RUN set -ex \
         zlib-dev \
         bluez-dev \
     # add build deps before removing fetch deps in case there's overlap
-    && apk del .fetch-deps \
+    && apk del .fetch-deps .cosign \
     \
     && for i in /usr/src/*.patch; do \
         patch -d /usr/src/python -p 1 < "${i}"; done \
diff --git a/python/3.12/build.yaml b/python/3.12/build.yaml
@@ -11,7 +11,8 @@ cosign:
 args:
   PYTHON_VERSION: 3.12.11
   PIP_VERSION: 25.1.1
-  GPG_KEY: 7169605F62C751356D054A26A821E680E5FA6305
+  CERT_IDENTITY: thomas@python.org
+  CERT_OIDC_ISSUER: https://accounts.google.com
 labels:
   io.hass.base.name: python
   org.opencontainers.image.source: https://github.com/home-assistant/docker-base
diff --git a/python/3.13/Dockerfile b/python/3.13/Dockerfile
@@ -4,11 +4,12 @@ FROM $BUILD_FROM
 ARG \
     PYTHON_VERSION \
     PIP_VERSION \
-    GPG_KEY \
+    CERT_IDENTITY \
+    CERT_OIDC_ISSUER \
     QEMU_CPU
 
 # ensure local python is preferred over distribution python
-ENV PATH /usr/local/bin:$PATH
+ENV PATH=/usr/local/bin:$PATH
 
 # Set shell
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
@@ -17,19 +18,20 @@ COPY *.patch /usr/src/
 RUN set -ex \
     && export PYTHON_VERSION=${PYTHON_VERSION} \
     && apk add --no-cache --virtual .fetch-deps \
-        gnupg \
         openssl \
         tar \
         xz \
+    && apk add --no-cache --virtual .cosign cosign \
+        --repository="https://dl-cdn.alpinelinux.org/alpine/v3.21/community" \
     \
     && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \
-    && curl -L -o python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \
-    && export GNUPGHOME="$(mktemp -d)" \
-    && echo "disable-ipv6" >> "$GNUPGHOME/dirmngr.conf" \
-    && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "${GPG_KEY}" \
-    && gpg --batch --verify python.tar.xz.asc python.tar.xz \
-    && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
-    && rm -rf "$GNUPGHOME" python.tar.xz.asc \
+    && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \
+    && cosign verify-blob \
+        --new-bundle-format \
+        --certificate-identity "${CERT_IDENTITY}" \
+        --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \
+        --bundle python.tar.xz.sigstore \
+        python.tar.xz \
     && mkdir -p /usr/src/python \
     && tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \
     && rm python.tar.xz \
@@ -63,7 +65,7 @@ RUN set -ex \
         zlib-dev \
         bluez-dev \
     # add build deps before removing fetch deps in case there's overlap
-    && apk del .fetch-deps \
+    && apk del .fetch-deps .cosign \
     \
     && for i in /usr/src/*.patch; do \
         patch -d /usr/src/python -p 1 < "${i}"; done \
diff --git a/python/3.13/build.yaml b/python/3.13/build.yaml
@@ -11,7 +11,8 @@ cosign:
 args:
   PYTHON_VERSION: 3.13.4
   PIP_VERSION: 25.1.1
-  GPG_KEY: 7169605F62C751356D054A26A821E680E5FA6305
+  CERT_IDENTITY: thomas@python.org
+  CERT_OIDC_ISSUER: https://accounts.google.com
 labels:
   io.hass.base.name: python
   org.opencontainers.image.source: https://github.com/home-assistant/docker-base
