Sigstore documentation doesn't have example for .sigstore bundles
#2285
Comments
|
Thanks for pinging me downstream! Adding an example of verifying using
I think I ran into the same thing -- I believe it's in a CMS somewhere, and @di has modified it in the past. |
|
It is indeed in the python.org CMS, which I have edit access to. |
|
There probably should also be refereences to sigstore on the Python Downloads page. I've opened a new issue about that. |
|
As a part of this work I'd like to backfill the existing crt/sig files with bundles for easier verification instructions. @woodruffw and I created this issue to track this functionality in sigstore-python: sigstore/sigstore-python#718 |
|
Created a task for back-filling Python releases from existing verification materials: #2300 |
|
Once bundles have been backfilled and the documentation updated we can remove the crt/sig generation from python/release-tools to match the default generation behavior from sigstore-python v2. |
|
Releases have been backfilled with bundles so I've updated the documentation to only reference verifying Sigstore bundles. We can now close this issue. |
Describe the bug
Follow-up from #2247, the examples on the Sigstore information page (https://python.org/download/sigstore) only references being able to verify
.crtand.sigfiles, where now new releases have a singular Sigstore bundle file.sigstorethat should be verified with--bundle <FILE>.Since there are releases out there with both flavors of verification material, we'll need to give the user instructions on which method to use based on which materials are available.
I was going to make the contribution to fix this myself, but I was unable to grep the
Sigstore Informationpage header anywhere in this project or under thepythonorg in GitHub. Maybe my search skills or GitHub is failing here somehow, but where is the source code for the page in question?The text was updated successfully, but these errors were encountered: