SNOW-1862674: update readme for signature verification (#2124)

sfc-gh-aling · web-flow · commit 343cc4bb5a11 · 2024-12-18T13:37:23.000-08:00
diff --git a/DESCRIPTION.md b/DESCRIPTION.md
@@ -11,6 +11,7 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
 - v3.12.5(TBD)
   - Added a feature to limit the sizes of IO-bound ThreadPoolExecutors during PUT and GET commands.
   - Adding support for the new PAT authentication method.
+ - Updated README.md to include instructions on how to verify package signatures using `cosign`.
 
 - v3.12.4(December 3,2024)
   - Fixed a bug where multipart uploads to Azure would be missing their MD5 hashes.
diff --git a/README.md b/README.md
@@ -82,6 +82,26 @@ conn = snowflake.connector.connect(
 conn.telemetry_enabled = False
 ```
 
+## Verifying Package Signatures
+
+To ensure the authenticity and integrity of the Python package, follow the steps below to verify the package signature using `cosign`.
+
+**Steps to verify the signature:**
+- Install cosign:
+  - This example is using golang installation: [installing-cosign-with-go](https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-install-cosign/#installing-cosign-with-go)
+- Download the file from the repository like pypi:
+  - https://pypi.org/project/snowflake-connector-python/#files
+- Download the signature files from the release tag, replace the version number with the version you are verifying:
+  - https://github.com/snowflakedb/snowflake-connector-python/releases/tag/v3.12.2
+- Verify signature:
+  ````bash
+  # replace the version number with the version you are verifying
+  ./cosign verify-blob snowflake_connector_python-3.12.2.tar.gz \
+  --key snowflake-connector-python-v3.12.2.pub \
+  --signature resources.linux.snowflake_connector_python-3.12.2.tar.gz.sig
+
+  Verified OK
+  ````
 
 ## NOTE
 
